You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
We maintain an always-on bug bounty to identify and triage issues in our products and services. Many customers ask us for ‘penetration reports’ or similar - basically a report from a third party that shows that we are testing the security of our own products and services.
We believe our always-on bug bounty, with more than 1200+ security researchers (think: extension of our own team), provides better value than a couple of people for a week or two. We also recently published our thinking on the differences in penetration tests versus vulnerability assessments versus a bug bounty program on our Approach to Security Testing page on our external website.
At the start of each quarter, we publish a roll-up report from each of our Bug Bounty programs to give our customers a view of the progress of the program and the vulnerabilities. For many customers, these reports can take the place of a penetration test report and shows that we are actively testing and identifying any security issues that are in our products or services.
Stats for the Quarter
In the January 2022 to March 2022 quarter, we had 209 individual security researchers contribute to our bug bounty program, submitting a total of 559 bugs for review, with a total of 151 valid bugs, which is an average of ~25.6% valid bug to noise ratio (with a low of 0% valid bug to noise ratio in our Statuspage program and a high of 60% valid bug to noise ratio in our Jira Align program) across our six independent bug bounty programs. In the July 2021 to September 2021 quarter, there were a total of 65 working days (excluding weekends and holidays), which means we had 2.87 additional security researchers testing our Products and Services per day.
Compared to the October to December 2021 quarter, we had 12% more security researchers, 40% fewer bugs submitted for review, and 51% fewer valid bugs, with a higher bug-to-noise ratio by ~5%.
Get the Reports
If you have customers asking for a penetration test report, point them out to the Approach to Security Testing page, where (down at the bottom) we have published reports for Atlassian (including Jira, Confluence, Bitbucket, and more), Halp, Jira Align, Opsgenie, Statuspage, and Trello. We have also published the same links to the Security Testing section of our Security Practices page.
Download current test reports
These reports show the progress of our bug bounties for the January 2022 to March 2022 quarter. Any security vulnerabilities identified in the reports below are tracked in our internal Jira as they come through the Bug Bounty intake process and are closed according to the SLA timelines on our Security Bug Fix Policy.