How often do Atlassian perform penetration testing on JIRA?

To clear up some confusion, regarding this article:

https://www.atlassian.com/trust/security/security-practices#security-knowledge-base 

This section reads:

Our security testing approach is built around the concept of ‘continuous assurance’ – not only do we make use of targeted, point-in-time penetration tests, we also have an always-on testing model using a crowd-sourced bug bounty. We believe this multi-faceted approach maximises our chances of finding vulnerabilities and providing our customers with the most secure products possible. More information is available in our separate paper covering our approach to external security testing, and a summary of our testing measures is provided below.

Clarification can be found in this article: 

https://www.atlassian.com/trust/security/security-testing

We do use specialist security consulting firms to complete penetration tests on high risk products and infrastructure. This may be a new infrastructure set up for us (e.g. our Cloud environment), a new product (e.g. Trello) or a fundamental re-architecture (e.g. the extensive use of micro-services). 

Our approach to penetration testing in these cases is highly targeted and focused. Such tests will generally be:

• White box - The testers will be provided with design documentation and briefings from our product engineers to support their testing
• Code assisted - The testers will have full access to the relevant code base to help diagnose any unexpected system behaviour during testing and to identify potential targets
• Threat based - Testing will focus on a particular threat scenario, such as assuming a compromised instance exists, and testing lateral movement from that starting point

We post Letters of Assessments (LoA) from our Penetration Testing partners available for external consumption at the bottom of this page. Due to the extensive internal information made available to the testers in conducting these assessments, we do not provide full reports. The majority of these systems and products will subsequently be included in our public bug bounty program, providing the on-going external assurance that our customers seek. Any findings from these assessments will be triaged and remediated according to our Public Security Vulnerability SLO. 

Hi Cameron,

I understand you are looking to understand how often Atlassian is performing security testing against Jira Cloud.   There is more info in regards in Our Approach to External Security Testing.  From that page:

Our external security testing approach is built around the concept of 'continuous assurance' – rather than a point-in-time penetration test, we have an always-on, always-testing model using a crowd-sourced bug bounty.

So while we don't have an "x number of tests over y period of time"-type answer here, the answer is that Atlassian is continuously seeking out ways to discover vulnerabilities in our own products.  We would much rather learn of these from our bugbounty program than to find them in the wild.  

There is also more information about our approach in https://www.atlassian.com/trust/security/security-practices#product-security-testing.

I hope this helps.

Andy