Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

July 2020 - June 2021 Atlassian Annual Bug Bounty Report

As we highlight each quarter, we maintain an always-on bug bounty to identify and triage security vulnerabilities in our products and services. Many customers ask us for ‘penetration reports’ or similar - a report from a third-party that shows that we are testing the security of our own products and services.

We believe our always-on bug bounty, with more than 1200+ security researchers (think : extension of our own team) provides better value than a couple of people for a week or two. We have published our perspective on the differences in penetration tests versus vulnerability assessments versus a bug bounty program on our Approach to Security Testing page on our external website.

This year, we are publishing for the first time an in-depth whitepaper detailing a full year of statistics and information about our bug bounty program. The whitepaper includes statistics and data for the July 2020 to June 2021 timeframe, which is Atlassian’s fiscal year.

We published this whitepaper about our Bug Bounty programs to give our customers a view on progress of the program and some details of the vulnerabilities that were discovered. For many customers, these reports can take the place of a penetration test report, and shows that we are actively managing and resolving any security issues that are in found our products or services.

Stats for the year

In the July 2020 to June 2021 timeframe, we had 77 individual security researchers contributed to our bug bounty program, with a total of 348 valid vulnerabilities. The highest reported vulnerability severity was Medium, which accounted for nearly two-thirds of the valid vulnerabilities. The top three vulnerability types most found were cross-site scripting (XSS), broken authentication and session management, and improper authorization, which collectively accounted for 57% of valid vulnerabilities. Total payout of the bug bounty program for the July 2020 to June 2021 timeframe was $258,350 USD.

Download the annual bug bounty report

The July 2020 to June 2021 Annual Bug Bounty Report can be found on our Security at Atlassian main page.

1 comment


Log in or Sign up to comment
Huwen Arnone _Deiser_
Marketplace Partner
Marketplace Partners provide apps and integrations available on the Atlassian Marketplace that extend the power of Atlassian products.
October 1, 2021

This has been definitively a great initiative from Atlassian, and a win-win situation for all the implied:

  • Atlassian builds more trust and offers a better value to the customer.
  • The customer gets more value from their purchases.
  • Atlassian Marketplace vendor participants in the Bug Bounty initiative (like us with Exporter Cloud and Projectrak Cloud) get quality insights to enhance the security from their apps.

This report is very insightful. I think the overall "Stats of the year" paragraph sum it up pretty much great.

From a vendor perspective: Since November 2020, we've had 10 vulnerabilities reported in total since, all of them with a vulnerability severity of Medium.

Thank you very much for sharing @Bill Marriott 

AUG Leaders

Atlassian Community Events