Bug Bounty July 2024 Update

At the start of each quarter, we publish a roll-up report from each of our Bug Bounty programs to give our customers a view of the progress of the program and the vulnerabilities. For many customers, these reports can take the place of a penetration test report and show that we are actively testing and identifying any security issues that are in our products or services.

As part of our commitment to ensuring the highest level of security for our products, we have expanded our efforts to include both penetration tests and our always-on bug bounty program. With over 1200+ security researchers contributing, our bug bounty program serves as an extension of our own team, providing continuous monitoring and testing for potential vulnerabilities. We believe that this comprehensive approach provides superior value when combined with targeted penetration tests that are also performed (we post updated Letters of Assessment for each product’s penetration test on our https://www.atlassian.com/trust/security/security-testing, at the bottom of the page).

Bug Bounty Stats for the Quarter

In the April 2024 to June 2024 quarter, we had 301 individual security researchers contribute to our bug bounty program, submitting a total of 561 bugs for review, with a total of 150 valid bugs, which is an average of ~31% valid bug to noise ratio (with a low of 10% valid bug to noise ratio in our Halp program and a high of 71% valid bug to noise ratio in our Jira Align program) across our six independent bug bounty programs.

Compared to the January 2024 to March 2024 quarter, we had a 8% decrease in security researchers, 2% increase in bugs submitted for review, and a 5% decrease in valid bugs, with a lower bug-to-noise ratio by ~9%. While we did see a slight decrease in overall in submissions last quarter, comparing against other ‘Computer Software’ organisations running a bug bounty over the same period we had a ~1313% higher number of submissions.

Get the Reports

If you have customers asking for a penetration test report, first point them to the https://www.atlassian.com/trust/security/security-testing#bug-bounty-reports page where we have published the bug bounty reports for Atlassian (including Jira, Confluence, Bitbucket, and more), Halp, Jira Align, Opsgenie, Statuspage, and Trello. We have also published the same links to the Security Testing section of our Security Practices page.

Download current test reports

These reports show the progress of our bug bounties for the April 2024 to June 2024 quarter. Any security vulnerabilities identified in the reports below are tracked in our internal Jira as they come through the Bug Bounty intake process and are closed according to the SLA timelines on our Security Bug Fix Policy.

• Download the latest Atlassian bug bounty report (2024-07)

• Download the latest Halp bug bounty report (2024-07)

• Download the latest Jira Align bug bounty report (2024-07)

• Download the latest Opsgenie bug bounty report (2024-07)

• Download the latest Statuspage bug bounty report (2024-07)

• Download the latest Trello bug bounty report (2024-07)

Halp End of Life (EOL)

As of June 4, 2024, our Halp program has been closed on Bugcrowd as the stand-alone product has reached its End of Life (EOL). Halp's chat functionality has been integrated into another one of Atlassian's products, Jira Service Management Cloud. The feature, called Jira Service Management Chat or Atlassian Assist, is already in flight and ready for testing. Please report Jira Service Management Cloud related submissions to the Atlassian Bug Bounty Program at https://bugcrowd.com/atlassian.

Please see the following for more details about Halp and its current state:

• https://community.atlassian.com/t5/Assist-articles/The-evolution-of-Halp-into-Jira-Service-Management-Cloud/ba-p/2293388

• https://www.atlassian.com/software/halp

• https://support.atlassian.com/jira-service-management-cloud/docs/migrating-from-halp-to-jira-service-management/

This quarter’s bug bounty report will be the final one for the Halp program.

Atlassian’s Security Testing Updates

The Security Testing team continues to work closely with cyber security consultancies to conduct thorough penetration tests on Atlassian products.

This approach ensures that Atlassian's products and services undergo rigorous testing and evaluation. By combining the bug bounty program with the efforts by our security testing team, Atlassian can leverage the expertise of external researchers while also maintaining a proactive and comprehensive security posture.

You can read more about these efforts at: https://www.atlassian.com/trust/security/security-testing where additionally we publish “Letters of Assessment” for the annual penetration tests performed on Atlassian products. Letters of Assessment published recently include:

• Letter of Assessment for Atlassian External and Internal Adversary Simulation Assessment (2024-04)

• Letter of Assessment for Bamboo Server & Data Center (2024-05)

• Letter of Assessment for Jira Product Discovery (2024-05)

• Letter of Assessment for Atlassian Analytics (Web Application) (2024-06)

• Letter of Assessment for Atlassian Guard (2024-06)

• Letter of Assessment for Loom (2024-06)

• Letter of Assessment for Fisheye & Crucible Server (Web Application) (2024-07)

• Letter of Assessment for Compass (Web Application) (2024-07)