Bug Bounty Report Update - October 2020

Bill Marriott
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 13, 2020

We maintain an always on bug bounty to identify and triage issues in our products and services. Many customers ask us for ‘penetration reports’ or similar - basically a report from a third-party that shows that we are testing the security of our own products and services.

We believe our always-on bug bounty, with more than 1200+ security researchers (think : extension of our own team) provides better value than a couple of people for a week or two. We also recently published our thinking on the differences in penetration tests versus vulnerability assessments versus a bug bounty program on our Approach to Security Testing page on our external website.

Once a quarter, we publish a roll-up report from each of our Bug Bounty programs to give our customers a view on progress of the program and the vulnerabilities. For many customers, these reports can take the place of a penetration test report, and shows that we are actively managing and closing any security issues that are in our products or services.

Get the Reports

If you have customers asking for a penetration test report, point them out to the Approach to Security Testing page, where (down at the bottom) we have published reports for Atlassian (including Jira, Confluence, Bitbucket and more), Statuspage, Trello and Opsgenie. We have also published the same links to the Bug Bounty section of our Security Practices page.

Download current test reports

These reports show the progress of our bug bounties for the July 2020 to September 2020 quarter. Any security vulnerabilities identified in the reports below are tracked in our internal Jira as they come through the Bug Bounty intake process and are closed according to the SLA timelines on our Security Bug Fix Policy.

 

1 comment

Comment

Log in or Sign up to comment
Boris Berenberg - Atlas Authority
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
October 13, 2020

Does the spike in submissions and validations in late July for the Atlassian program have anything to do with the Marketplace Blitz?

Anshuman Bhartiya
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
October 14, 2020

@Boris Berenberg - Atlas Authority Looking at the report, it only applies to our main Atlassian bounty program that has nothing to do with marketplace bounty or the blitz that we did. I think the spike might mostly be related to COVID and how there is more time for researchers since everybody is staying at home. I remember Bugcrowd mention that a few times that they have started to see more than usual traffic because of COVID or at least they thought its because of that. 

TAGS
AUG Leaders

Atlassian Community Events