July 2021 - June 2022 Annual Bug Bounty Report

Following on our first ever Annual Bug Bounty Report from 2021, we have updated this report to reflect a full year of statistics and data about our Bug Bounty Programs as part of our overall Vulnerability Management Program. The Annual Bug Bounty Report includes statistics and data for the July 2021 to June 2022 timeframe, which is Atlassian’s fiscal year, FY22.

We published this report about our Bug Bounty programs to give our customers a view on progress of the program and some details of the vulnerabilities that were discovered. For many customers, these reports can take the place of a penetration test report, and shows that we are actively managing and resolving any security issues that are in found our products or services.

We have published our perspective on the differences in penetration tests versus vulnerability assessments versus a bug bounty program on our Approach to Security Testing page on our Atlassian Trust Center.

Stats for the year

In the July 2021 to June 2022 timeframe, Atlassian received a total of 358 valid vulnerabilities which resulted in payout. The highest reported vulnerability severity was Medium, which accounted for 56% of the valid vulnerabilities which resulted in payout, and 89% reported vulnerabilities were either Medium or Low Severity. 100% of Critical vulnerabilities reported were resolved within SLO, and had a median time-to-resolve of less than 1 day. Total payout of the bug bounty program for the July 2021 to June 2022 timeframe was $383,600 USD, which is an increase of 48% year-over-year, this increase was primarily attributable to increasing all severity bounty payouts in May 2021.

Download the annual bug bounty report

The July 2021 to June 2022 Annual Bug Bounty Report can be found on our Security at Atlassian main page. Read more about our Atlassian Vulnerability Management Program.



Log in or Sign up to comment
AUG Leaders

Atlassian Community Events