Bug Bounty October 2023 Update

At the start of each quarter, we publish a roll-up report from each of our Bug Bounty programs to give our customers a view of the progress of the program and the vulnerabilities. For many customers, these reports can take the place of a penetration test report and shows that we are actively testing and identifying any security issues that are in our products or services.

As part of our commitment to ensuring the highest level of security for our systems, we have expanded our efforts to include both penetration tests and our always-on bug bounty program. With over 1200+ security researchers contributing, our bug bounty program serves as an extension of our own team, providing continuous monitoring and testing for potential vulnerabilities. We believe that this comprehensive approach provides superior value when combined with targeted penetration tests that are also performed (we post updated Letters of Assessment for each product’s penetration test on our Approach to Security Testing, at the bottom of the page).

Expansion of Atlassian’s Security Testing Capability

Security Testing efforts within Atlassian have increased over the past year, including the expansion and development of our internal penetration testing & technical security assurance capability. The Security Testing team work in collaboration with reputable cyber security consultancies to provide technical security assurance of Atlassian products, as well as high-priority internal projects and other systems. Atlassian uses Security Testing to complement our Bug Bounty program with internal benchmarking and a balanced portfolio of technical security assurance methods.

This approach ensures that Atlassian's products and services undergo rigorous testing and evaluation. By combining the Bug Bounty program with the efforts by our security testing team, Atlassian can leverage the expertise of external researchers while also maintaining a proactive and comprehensive security posture.

You can read more about these efforts at: Approach to External Security Testing where additionally we publish Letters of Assessment for the annual penetration tests performed on Atlassian products.

Bug Bounty Stats for the Quarter

In the July 2023 to September 2023 quarter, we had 196 individual security researchers contribute to our bug bounty program, submitting a total of 375 bugs for review, with a total of 131 valid bugs, which is an average of ~22% valid bug to noise ratio (with a low of 17% valid bug to noise ratio in our Opsgenie program and a high of 41% valid bug to noise ratio in our Statuspage program) across our six independent bug bounty programs.

Compared to the April 2023 to June 2023 quarter, we had a 14% decrease in security researchers, 12% fewer bugs submitted for review, and a 35% increase in valid bugs, with a higher bug-to-noise ratio by ~0.3%.

Get the Reports

If you have customers asking for a penetration test report, point them out to the Approach to Security Testing page, where (down at the bottom) we have published reports for Atlassian (including Jira, Confluence, Bitbucket, and more), Halp, Jira Align, Opsgenie, Statuspage, and Trello. We have also published the same links to the Security Testing section of our Security Practices page.

Download current test reports

These reports show the progress of our bug bounties for the July 2023 to September 2023 quarter. Any security vulnerabilities identified in the reports below are tracked in our internal Jira as they come through the Bug Bounty intake process and are closed according to the SLA timelines on our Security Bug Fix Policy.

• Download the latest Atlassian bug bounty report (2023-10)

• Download the latest Halp bug bounty report (2023-10)

• Download the latest Jira Align bug bounty report (2023-10)

• Download the latest Opsgenie bug bounty report (2023-10)

• Download the latest Statuspage bug bounty report (2023-10)

• Download the latest Trello bug bounty report (2023-10)