Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

July 2020 - June 2021 Atlassian Annual Bug Bounty Report

September 30, 2021

As we highlight each quarter, we maintain an always-on bug bounty to identify and triage security vulnerabilities in our products and services. Many customers ask us for ‘penetration reports’ or similar - a report from a third-party that shows that we are testing the security of our own products and services.

We believe our always-on bug bounty, with more than 1200+ security researchers (think : extension of our own team) provides better value than a couple of people for a week or two. We have published our perspective on the differences in penetration tests versus vulnerability assessments versus a bug bounty program on our Approach to Security Testing page on our external website.

This year, we are publishing for the first time an in-depth whitepaper detailing a full year of statistics and information about our bug bounty program. The whitepaper includes statistics and data for the July 2020 to June 2021 timeframe, which is Atlassian’s fiscal year.

We published this whitepaper about our Bug Bounty programs to give our customers a view on progress of the program and some details of the vulnerabilities that were discovered. For many customers, these reports can take the place of a penetration test report, and shows that we are actively managing and resolving any security issues that are in found our products or services.

Stats for the year

In the July 2020 to June 2021 timeframe, we had 77 individual security researchers contributed to our bug bounty program, with a total of 348 valid vulnerabilities. The highest reported vulnerability severity was Medium, which accounted for nearly two-thirds of the valid vulnerabilities. The top three vulnerability types most found were cross-site scripting (XSS), broken authentication and session management, and improper authorization, which collectively accounted for 57% of valid vulnerabilities. Total payout of the bug bounty program for the July 2020 to June 2021 timeframe was $258,350 USD.

Download the annual bug bounty report

The July 2020 to June 2021 Annual Bug Bounty Report can be found on our Security at Atlassian main page.

Comment
Watch
Like # people like this
1170 views

1 comment

Comment

Log in or Sign up to comment
Huwen Arnone _Deiser_
Huwen Arnone _Deiser_
Solutions Partner
Solution Partners provide consulting, sales, and technical services on Atlassian products.
October 1, 2021

This has been definitively a great initiative from Atlassian, and a win-win situation for all the implied:

  • Atlassian builds more trust and offers a better value to the customer.
  • The customer gets more value from their purchases.
  • Atlassian Marketplace vendor participants in the Bug Bounty initiative (like us with Exporter Cloud and Projectrak Cloud) get quality insights to enhance the security from their apps.

This report is very insightful. I think the overall "Stats of the year" paragraph sum it up pretty much great.

From a vendor perspective: Since November 2020, we've had 10 vulnerabilities reported in total since, all of them with a vulnerability severity of Medium.

Thank you very much for sharing @Bill Marriott 

Like
Bill Marriott

Bill Marriott

Atlassian Team
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.

About this author

Trust & Security

Atlassian

Sydney

4 accepted answers

52 total posts

View profile
groups-icon
Trust & Security
TAGS
AUG Leaders

Atlassian Community Events

    See all events