Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,295,750
Community Members
 
Community Events
165
Community Groups

July 2020 - June 2021 Atlassian Annual Bug Bounty Report

As we highlight each quarter, we maintain an always-on bug bounty to identify and triage security vulnerabilities in our products and services. Many customers ask us for ‘penetration reports’ or similar - a report from a third-party that shows that we are testing the security of our own products and services.

We believe our always-on bug bounty, with more than 1200+ security researchers (think : extension of our own team) provides better value than a couple of people for a week or two. We have published our perspective on the differences in penetration tests versus vulnerability assessments versus a bug bounty program on our Approach to Security Testing page on our external website.

This year, we are publishing for the first time an in-depth whitepaper detailing a full year of statistics and information about our bug bounty program. The whitepaper includes statistics and data for the July 2020 to June 2021 timeframe, which is Atlassian’s fiscal year.

We published this whitepaper about our Bug Bounty programs to give our customers a view on progress of the program and some details of the vulnerabilities that were discovered. For many customers, these reports can take the place of a penetration test report, and shows that we are actively managing and resolving any security issues that are in found our products or services.

Stats for the year

In the July 2020 to June 2021 timeframe, we had 77 individual security researchers contributed to our bug bounty program, with a total of 348 valid vulnerabilities. The highest reported vulnerability severity was Medium, which accounted for nearly two-thirds of the valid vulnerabilities. The top three vulnerability types most found were cross-site scripting (XSS), broken authentication and session management, and improper authorization, which collectively accounted for 57% of valid vulnerabilities. Total payout of the bug bounty program for the July 2020 to June 2021 timeframe was $258,350 USD.

Download the annual bug bounty report

The July 2020 to June 2021 Annual Bug Bounty Report can be found on our Security at Atlassian main page.

1 comment

This has been definitively a great initiative from Atlassian, and a win-win situation for all the implied:

  • Atlassian builds more trust and offers a better value to the customer.
  • The customer gets more value from their purchases.
  • Atlassian Marketplace vendor participants in the Bug Bounty initiative (like us with Exporter Cloud and Projectrak Cloud) get quality insights to enhance the security from their apps.

This report is very insightful. I think the overall "Stats of the year" paragraph sum it up pretty much great.

From a vendor perspective: Since November 2020, we've had 10 vulnerabilities reported in total since, all of them with a vulnerability severity of Medium.

Thank you very much for sharing @Bill Marriott 

Comment

Log in or Sign up to comment
TAGS

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you