Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Looking for Secure Engineering info to help evaluate Statuspage


1) Was Statuspage included in the penetration testing outlined by the pen test report available on the web site? That is, can we assume it was pen tested and all results are included in the report?

2) Does Atlassian have additional information on how their development practices and policies for Statuspage reflect their commitment to secure engineering?  I found the CAIQ self assessment for Jira and Confluence Cloud, HipChat and Bitbucket cloud offerings, but Statuspage is more elusive.

I'm interested in these areas:

  • Education/Awareness,
  • Project Planning,
  • Threat Modeling,
  • Security Requirements,
  • Secure Coding, and
  • Security Testing.

This would answer questions like:

  • Do developers receive secure coding education?
  • How is Statuspage tested besides its external pen testing?
  • Are there secure coding standards in place which Atlassian can share?
  • Can Atlassian share its Threat Model for Statuspage, or give more information on how threat modeling is used in design and development and testing of the product?

1 answer

0 votes
Dylan Etkin
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Feb 15, 2018

I'll be honest, we don't have formal documentation that we can point you to about how we concern ourselves with secure coding for Statuspage. Also, we haven't had an external pen test for about 2 years now.

However, there are a number of things we do as an Atlassian product related to security.

1. Atlassian has an internal security team and that team runs network and XSS scanners on the product regularly.

2. We run a public bug bounty program and we conform to strict internal SLAs around addressing the issues raised. The SLAs vary based on the severity of the vulnerability.

3. We run our infrastructure on the internal Atlassian PaaS which has been built from the ground up with security in mind and which has passed many internal and external security audits. Using this PaaS means that every deploy we do spins up a new set of AWS EC2 instances, so our running instances are never long-lived. It's also the case that none of these instances have public remote access.

4. We also conform to a SOX compliant coding standard that Atlassian has adopted. All code that is deployed must go through peer code review and receive two independent approvals before being deployed.

Our developers do not receive any special secure coding training but we do have very senior engineers that have worked on products at scale on the team.

I hope this information helps a bit and I'm sorry I don't have more concrete information to share.

Thanks, @Dylan Etkin.  That does help.

May I suggest that Atlassian explicitly include Statuspage as one of the test targets in its Bug Bounty program?

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events