Insights from Marketplace Partners on the new Atlassian Marketplace Bug Bounty Program

A bug bounty program is one of the most powerful post-production tools that any organization can implement to help detect vulnerabilities in their applications and services. Crowdsourcing vulnerability discovery complements already existing skill sets by providing access to a talented pool of security researchers who can work directly with development and security teams across the organization.

Atlassian has been running a public bug bounty program since 2017 which is widely regarded as a very successful program, winning Bugcrowd’s Program of the Year award for both 2018, and 2019.

Off the back of this success, Atlassian has continued to expand the scope of the Bug Bounty Program, and recently announced the launch of a new initiative, the Atlassian Marketplace Bug Bounty Program, which allows Atlassian to scale the success of the Atlassian Bug Bounty Program out to our Marketplace Partners.

The Atlassian Marketplace Bug Bounty Program

The Atlassian Marketplace Bug Bounty Program is a collaboration between Atlassian and its Marketplace Partners to bring the power of crowdsourced security to apps hosted on the Atlassian Marketplace. Marketplace Partners willing to join the program are given free access to Atlassian’s Marketplace Bug Bounty platform, empowering them to connect directly with a global community of security researchers, eager to help increase the security of their apps.

Once a Marketplace Partner has onboarded to the Atlassian Marketplace Bug Bounty Program, security researchers are invited to start testing the security of their apps. If a researcher believes that they have discovered a vulnerability, they then generate a report and submit that report to the Marketplace Partner for further analysis and assessment. If the issue is deemed to be a vulnerability the Marketplace Partner then pays the researcher a “bounty” for their finding and then fixes the issue, increasing the security of their apps and building trust with our customers.

Insights from Marketplace Partners Adaptavist and Tempo

Two such partners participating in the Atlassian Marketplace Bug Bounty program are Adaptavist and Tempo. These two partners were a part of the initial beta that Atlassian started to test the program before rolling it out to the larger ecosystem.  I had a chance to sit down with Steinunn Tomasdottir (ST), a Product Marketer from Tempo and Jon Mort (JM), Head of Product Engineering, at Adaptavist to discuss the impact of the program for them and get their general thoughts about how this increased security for their customers.

“What interested you the most in being one of the first Marketplace partners to participate in the bug bounty program?”

JM: We had been thinking about what else we could be doing to increase trust and security and we were considering external testing for a while.  We found it would have been quite expensive with a rather poor value for a one-off penetration test. When we learned about the bug bounty, it was an immediate yes to participate.

ST: We were really excited to be a part of this program with Atlassian because we hoped that the bug bounty program would help give us the expertise to expose vulnerabilities we would not have otherwise known about.

“What are some of the benefits that you see for customers with the bug bounty program?”

ST: With the bug bounty program, I think this shows to our customers that we take trust and cloud security very seriously.

JM: Yeah and the biggest value of the bug bounty program for customers is an across the board increase of quality for all of the Marketplace apps.

“How many bugs have been discovered through the program? What sort of improvements did this lead to?”

ST: Our team has fixed about 12 bugs at this point through the program. All of them helped strengthen our product. The team really liked that through Bugcrowd, they could see the severity of each bug and what kind (feature vs. system configuration) and it helps them pinpoint problems they would otherwise not have had the capacity to discover.

JM: We’ve had a few less bugs that have been fixed and a few that are still on-going. I think one of the biggest improvements this program has led to is the number of things our engineers have discovered before launching an app into the program. They have a lot of pride in their product and want to fix all the bugs before it gets put before someone else.

“What have been some of the challenges of the bug bounty program?”

ST: At the beginning, we were uncertain about the journey that we were starting. We were afraid that there would be some false positives or unrelated incidents that would come through but that hasn’t been the case.

JM:  Our biggest challenge was getting the research brief right in the first place. Having enough detail to direct researchers to where you want them to look. We got some good advice from Atlassian’s Ecosystem Security team and that helped make it clear about what was in and out of scope, and what we needed to add extra detail about.  It took some time to educate the Bugcrowd security engineers in their triage but that effort has really paid off. I’ve been very impressed with the quality of triage they have been able to do.

“What do you think is important for customers to know about how the bug bounty program benefits cloud security?”

ST: I think it’s important for our customers to know that we are concerned about our vulnerability and we’re not afraid to talk about it. We are working on it everyday and this program has given us the expertise to find and fix these bugs properly.

JM: I would love customers to come away with the impression that they can trust our app more because we have this ongoing vulnerability scanning.

“What’s next on the roadmap for improving cloud security?”

JM: Our goal is to get all of our apps into the bug bounty program which means writing a lot of scope documents. We’re also doing the CAIQ-Lite questionnaire which has highlighted a few things that we can do better with. We’re hopeful that we can get the majority of our apps into the program in the next few months.

ST: We want to continue building upon the bug bounty program for cloud but we’re considering what’s next. We’ve been discussing the possibility of using this program also for our server and mobile apps.

“Any words of wisdom for other Marketplace Partners?”

JM: The Marketplace Bug Bounty program is really good value for what you get. You only pay out for what is found and it’s a lot cheaper than paying for penetration testing from a security company. I’m very enthusiastic about it and I think it’s something that will improve the trust and security of the whole ecosystem. My number one piece of advice for partners would be to make sure you spend enough time on your scope to determine what is in and out of scope.

ST: It’s a win-win-win situation. You win, customers win, Atlassian wins. It makes financial sense to outsource bug hunting to people who do this for a living.

---

We hope you learned valuable information about Atlassian’s new Marketplace Bug Bounty program and what that entails. This is the latest article in our Cloud app series on the community. Check out the full list of articles here to learn more about cloud apps from the Atlassian Marketplace

 

2 comments

Comment

Log in or Sign up to comment
Matt Doar
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
April 2, 2020

Do the security researchers have access to the source code of the vendors' apps? Or is this a closed system sort of thing.

Matt Hart
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 5, 2020

@Matt Doar The researchers don't get access to source code - the researchers get access to everything that customers would get access to. There's no special access to the apps for security researchers at this stage.

TAGS
AUG Leaders

Atlassian Community Events