Updates to Atlassian's Ecosystem Security Bug Bounty Programs

Hiya everyone! I’m Jake. I'm a new Product Manager on the Ecosystem Security team located in Jersey City, New Jersey. In my role, I will focus on all of Ecosystem’s Security Programs, and building relationships with our partners. I’m dedicating my first post to an exciting announcement for one of these programs, which you can read below!

Starting today, September 1, 2021, Atlassian is taking two of its Bug Bounty Programs public! The Atlassian Marketplace Vulnerability Disclosure Program and the Atlassian Ecosystem Program will now accept submissions from all Bugcrowd researchers, as opposed to a limited set of invitees. Additionally, we are changing the name of the Atlassian Ecosystem Program to ‘Atlassian-Built Apps Bug Bounty Program,’ in order to further clarify the scope of this program in its title.

The initial success of this program has made a big impact; over the past year, Atlassian and our partners have patched over 140 vulnerabilities discovered through both programs, and Atlassian has paid nearly $40,000 in rewards through the Atlassian-Built Apps Bug Bounty Program. Accepting more researchers to these programs is a critical step forward in marketplace security, and a clear indicator of the continued success of bug bounties.

Overall, this move expands the presence of these programs, deepens our efforts to identify and address vulnerabilities, and reflects our commitment to the security of our marketplace, our apps, and our partners' apps.

Additionally, the Marketplace Security Bug Bounty Program continues with momentum. As of today, there are 134 total Marketplace Programs, a few which are public, as well. These programs compliment our efforts to leverage bug bounties as a tool for securing the marketplace by empowering partners to create programs themselves. As a reminder, Atlassian rewards partners who host their own bug bounties by giving them the Cloud Security Participant Badge in the Atlassian Marketplace. If you are a partner interested in taking your own program public, please submit this form - we highly recommend it!

As a refresher, I’ve summarized the goal and scope of the three aforementioned bug bounties below:

Atlassian Marketplace Vulnerability Disclosure Program (VDP).

• To discover and patch vulnerabilities in all marketplace listed cloud apps built by partners and developers.

• This program is going public!

Atlassian-Built Apps Bug Bounty Program (formerly known as the Atlassian Ecosystem Program).

• To discover and patch vulnerabilities in all marketplace listed apps built by Atlassian.

• This program is going public!

Marketplace Security Bug Bounty Program.

• To empower partners to host their own bug bounty programs that meet Atlassian’s requirements, listed here.