As we highlight each quarter, we maintain an always-on bug bounty to identify and triage security vulnerabilities in our products and services. Many customers ask us for ‘penetration reports’ or similar - a report from a third-party that shows that we are testing the security of our own products and services.
We believe our always-on bug bounty, with more than 1200+ security researchers (think : extension of our own team) provides better value than a couple of people for a week or two. We have published our perspective on the differences in penetration tests versus vulnerability assessments versus a bug bounty program on our Approach to Security Testing page on our external website.
This year, we are publishing for the first time an in-depth whitepaper detailing a full year of statistics and information about our bug bounty program. The whitepaper includes statistics and data for the July 2020 to June 2021 timeframe, which is Atlassian’s fiscal year.
We published this whitepaper about our Bug Bounty programs to give our customers a view on progress of the program and some details of the vulnerabilities that were discovered. For many customers, these reports can take the place of a penetration test report, and shows that we are actively managing and resolving any security issues that are in found our products or services.
Stats for the year
In the July 2020 to June 2021 timeframe, we had 77 individual security researchers contributed to our bug bounty program, with a total of 348 valid vulnerabilities. The highest reported vulnerability severity was Medium, which accounted for nearly two-thirds of the valid vulnerabilities. The top three vulnerability types most found were cross-site scripting (XSS), broken authentication and session management, and improper authorization, which collectively accounted for 57% of valid vulnerabilities. Total payout of the bug bounty program for the July 2020 to June 2021 timeframe was $258,350 USD.
Download the annual bug bounty report
The July 2020 to June 2021 Annual Bug Bounty Report can be found on our Security at Atlassian main page.
Bill Marriott
Trust & Security
Atlassian
Sydney
4 accepted answers
1 comment