Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,298,527
Community Members
 
Community Events
165
Community Groups

Atlassian Bug Bounty Update - October 2021

We maintain an always on bug bounty to identify and triage issues in our products and services. Many customers ask us for ‘penetration reports’ or similar - basically a report from a third-party that shows that we are testing the security of our own products and services.

We believe our always-on bug bounty, with more than 1200+ security researchers (think : extension of our own team) provides better value than a couple of people for a week or two. We also recently published our thinking on the differences in penetration tests versus vulnerability assessments versus a bug bounty program on our Approach to Security Testing page on our external website.

Once a quarter, we publish a roll-up report from each of our Bug Bounty programs to give our customers a view on progress of the program and the vulnerabilities. For many customers, these reports can take the place of a penetration test report, and shows that we are actively managing and closing any security issues that are in our products or services.

Stats for the Quarter

In the July 2021 to September 2021 quarter, we had 246 individual security researchers contribute to our bug bounty program, submitting a total of 854 bugs for review, with a total of 306 valid bugs, which is an average of ~26% valid bug to noise ratio across our four independent bug bounty programs. In the July 2021 to September 2021 quarter, there were a total of 65 working days (excluding weekends and holidays), which means we had 3.6 additional security researchers testing our Products and Services per day.

Compared to the April to June 2021 quarter, we had 7% more security researchers, 44% more bugs submitted for review, and 52% more valid bugs, with a higher bug to noise ratio by ~24%.

Get the Reports

If you have customers asking for a penetration test report, point them out to the Approach to Security Testing page, where (down at the bottom) we have published reports for Atlassian (including Jira, Confluence, Bitbucket and more), Statuspage, Trello and Opsgenie. We have also published the same links to the Security Testing section of our Security Practices page.

Download current test reports

These reports show the progress of our bug bounties for the July 2021 to September 2021 quarter. Any security vulnerabilities identified in the reports below are tracked in our internal Jira as they come through the Bug Bounty intake process and are closed according to the SLA timelines on our Security Bug Fix Policy.

 

2 comments

Hi @Bill Marriott,

According to the https://www.atlassian.com/trust/security/security-testing , is there available that Atlassian makes a penetration test report for any apps? Or is this app vendor's job, responsibility? 

@Bill Marriottor is it such clear that I shouldn't even ask? :D

Comment

Log in or Sign up to comment
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you