Bug bounty and security

Kathryn Reddie August 24, 2023

Hi all,

I would like to purchase an add-on for Confluence Data Centre that is not part of the Bug bounty program.

Is it still secure for me to use? I don't quite understand what it means, and I know our IT Security team will ask before approving the purchase ...

Thanks in advance,

Kathryn.

1 answer

1 accepted

0 votes
Answer accepted
Radek Dostál
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
August 25, 2023

Nothing really can be guaranteed to be secure - vulnerabilities and exploits are being found on a continuous basis and that is why Atlassian sometime issue security patch hotfixes.

 

I'd argue that for the most part, apps don't really expose any more attack vectors than the underlying app (Confluence). In my non-security-analyst opinion, it's more of a statement, and more of a thing to shine to customers with. However, there certainly are some things that could be exploited. Think about Log4j - a dependency used in java programs. Everything had to be checked and patched.

Apps are built with plenty dependencies (or libraries), any of them could be vulnerable. The app could also write some tragic code which enables exploits, denial of service, etc.

Having written a couple apps, I'd say introducing any new vulnerability which doesn't affect Confluence itself, would take some ingenious talent, but you can never know what someone did while they made it, or which libraries they used.

 

For example, an app could just introduce a new macro. This macro only accepts plain text for parameters, and let's say it prints it with some specific markup on the page. In this case, there's pretty much nothing here to look for. Participating in the program would be a loss of time and money.

On the other hand, an app could take that plain text and run a SQL query with it, and when done in a shamefully poor way, let's say this is vulnerable to an SQL injection. Now we have a problem, which with the bug bounty program, might be found so it can be patched. Participating in the program would (likely) lead to the SQL injection discovery, resulting in a report towards the vendor, which they have to remediate and release an update for.

 

So, if an app is covered by the bug bounty program, they have to react to any discovered/reported vulnerabilities, but if it's not, they don't have to, and they might not even know about it.

 

Take a look through this page which explains the program in far more detail: https://developer.atlassian.com/platform/marketplace/marketplace-security-bug-bounty-program

Kathryn Reddie August 29, 2023

Thank you. :)

Suggest an answer

Log in or Sign up to answer
DEPLOYMENT TYPE
SERVER
VERSION
7.13.7
TAGS
AUG Leaders

Atlassian Community Events