Over the last few years, Atlassian has made some giant strides in the security and governance of our cloud products. We strive to meet the highest standards for personal data protection and regulatory requirements – including GDPR – and increasing the scope of our ISOC and SOC certifications. We know that the beauty of SaaS products is their ability to collaborate and distribute information seamlessly, but also recognize their potential to introduce new security dynamics. Since end users have more freedom and power to expose data through interactions inside and outside their organizations, securing that data is of utmost importance.

Take, for example, a typical organization with between 200 and 501 employees. According to the State of SaaS 2019 report by Blissfully, a company of this size uses an average of 123 SaaS apps. That may already sound like a lot, but when we break it down even further, that’s an average of 2,700 app-to-person connections. Every app-to-person connection needs to be kept secure, and every new login adds complexity, not to mention the app-to-app connections that come into play when SaaS apps are integrated through APIs. These connections mostly go unseen, as some apps delegate permissions and feed data between other apps.

So, given the volume of app-to-app connections that exist in our daily workflows, Atlassian is working to extend the security standards we’ve set for ourselves to our ecosystem partners. The Atlassian Marketplace is committed to ensuring that customer information shared with third-party app partners remains private and secure. We’re rolling out additional updates to our already-stringent cloud security requirements for our Marketplace apps to help keep customer information secure and prevent apps from egressing data.

The Atlassian Marketplace Bug Bounty Program

Why we’re letting 60,000 Bugcrowd security researchers ethically hack us

Atlassian has been running a public bug bounty program since 2017, which is widely regarded as very successful, winning Bugcrowd’s Program of the Year award for both 2018 and 2019. Building on this success, Atlassian recently announced the launch of a new initiative, the Atlassian Marketplace Bug Bounty Program, which allows us to scale the success of our original initiative to our Marketplace Partners.

Both bug bounty programs use Bugcrowd, a SaaS platform built to crowdsource vulnerability discovery from a global pool of talented security researchers. In the six months since we first rolled out a beta of this project, the Marketplace Bug Bounty program has helped identify 277 vulnerabilities across 32 applications. After a preliminary beta with four of our top Marketplace Partners, we recently opened the program to all of our Marketplace Partners.

Customers should be able to trust their apps innately, and the Marketplace Bug Bounty program will ensure that apps have ongoing vulnerability testing. In an interview with Marketplace Partner Adaptavist – one of the first to participate in the program – Jon Mort, their Head of Product Engineering, said that they “believe that the biggest value of the bug bounty program for customers is an across-the-board increase of quality of Marketplace apps.” To make it easier for customers to identify apps that are currently enrolled in the program, we expect to roll out additional badging on the Marketplace in the coming months.

Cloud app security programs

In addition to the new Marketplace Bug Bounty program, we’re rolling out enhancements to our cloud security program. All Marketplace Partners will be required to fill out a Consensus Assessments Initiative Questionnaire (CAIQ) Lite, which is a streamlined, industry-recognized questionnaire designed to help organizations assess the security posture of their cloud vendors. The CAIQ-Lite comprises 73 questions aimed at addressing the 16 most crucial aspects of the cloud controls matrix.

These questions are intended to identify areas for improvement in regards to data security best practices. CAIQ-Lite assess a partner’s application security practices, data retention practices, and approach to governance and risk management, along with other information. Some apps have already gone through stringent testing for ISO and SOC certifications, but these can have a steep price tag. The CAIQ-Lite questionnaire is fast becoming an industry standard for cloud security, and Atlassian is helping partners take these next steps by offering the programs for free.

We are requiring that all Platinum, Gold, and Silver Marketplace Partners complete the CAIQ-Lite questionnaire, which is then reviewed by Atlassian. We want customers to make informed choices about which Marketplace apps to trust. This is manifested by additional information and badges around Marketplace partners’ security posture.


Introducing Forge, a new way to build and run apps for the Atlassian cloud

We were also thrilled to announce Forge, a new way to build Atlassian cloud apps. It’s clear to us that customers see cloud in their future, and we’ve set out to address the complexities of running apps in the cloud by making the way developers build trusted and secure apps easier than ever. The Forge platform is composed of three components to rethink app development in our ecosystem, including a serverless Functions-as-a-Service (FaaS) hosted platform with Atlassian-hosted compute and storage, a declarative UI language that allows developers to build with ease (Forge UI), and a state-of-the-art DevOps toolchain powered by the intuitive Forge Command Line Interface (CLI). Forge will empower developers to more easily build and securely run cloud apps that integrate with Atlassian products. Forge is currently in closed beta – join the waitlist to take it for a spin.

Atlassian’s commitment to privacy and trust

Trust and consumer data privacy have always been top priorities for Atlassian. In order to keep customer information private, our APIs mask user information so that Marketplace apps only have access to personal data that is set by a user to “public.” This gives users direct control over visibility of their personal data and the ability to restrict access to it at any time. Additionally, all Marketplace app partners have their own individual privacy policy. Each policy outlines what information the app will collect, how it will be used, and who will have access to that data. Privacy policies and end-user agreements are available on each app listing in the Atlassian Marketplace.

Together with the improvements to our cloud security program, the rollout of our Marketplace bug bounty, and the inherent security that comes with our new Forge app platform, Atlassian customers will have added confidence in the tools they use alongside Atlassian products. For more information about the programs we’ve set in place to secure your data, visit our new Marketplace trust center.

How Atlassian is shaping the security of our cloud ecosystem