Following on from our FY22 Annual Bug Bounty Report, we have updated the FY23 report to reflect a full year of statistics and data about our Bug Bounty Programs as part of our overall Cloud Vulnerability Management Program. The Annual Bug Bounty Report includes statistics and data for the July 2022 to June 2023 timeframe, which is Atlassian’s fiscal year, FY23.
We publish this report about our Bug Bounty programs to give our customers a view of the program's progress and provide details about discovered vulnerabilities.
The FY23 report has been revamped to include an expanded scope of products, an overview of increased security testing efforts within Atlassian, updated data tracking for bug bounty reports, and improved data visualizations that offer a better breakdown of vulnerability priorities.
A Quick Overview of the Stats
In the July 2022 - June 2023 time-frame, Atlassian received a total of 251 valid vulnerability reports via our bug bounty program (from 79 unique researchers) that resulted in payment. In the preceding year, Atlassian received a total of 358 valid vulnerability reports, representing a 30% decrease year-over-year. Atlassian made $251,883 USD worth in total payments through its bug bounty program in FY23, reflecting approximately a ~34% decrease compared to the previous financial year (this decrease in payments is directly correlated with the reduction in reported vulnerabilities).
The most frequently reported vulnerability severity was Medium accounting for 60% of the valid vulnerabilities resulting in payout; approximately 84% were either Medium or Low Severity.
All Critical vulnerabilities reported were resolved within SLO (Service Level Objective) with a median time-to-resolve of 3.5 days. Full details of our SLO timelines can be found on the Security Bugfix Policy page.
Download the annual bug bounty report
For complete details on these statistics, please refer to the FY23 Annual Bug Bounty Report available on our Approach to Security Testing page or direct download here. You can also find comprehensive information about our approach to external security testing on the same page.
If you require more information about Atlassian’s bug bounty program, approach to security testing, or our security program in general, please consult the following resources:
