At Atlassian, security is baked into the product development lifecycle. We employ an entire team of security engineers who build threat models, review code, and test our systems. Building and maintaining products that keep our customers safe is a team effort.

Our first public bug bounty program run through Bugcrowd

Today, we’re launching Atlassian’s first bug bounty program. We’re adding Jira and Confluence Cloud to the existing programs for Trello and Statuspage, and will soon expand to additional cloud as well as self-hosted products in the months to come. Our new public bounty program will eventually replace the private disclosure program the Atlassian Security Team has been running for a few years through our Jira Service Desk. The original program has grown significantly since it started, and with the added complexity of managing over 14 product lines, we decided it was time to turn to an expert, Bugcrowd, to help supercharge our program.

With Bugcrowd, provider of crowd-sourced security testing, Atlassian’s security team adds nearly 60,000 external cybersecurity researchers. This highly capable community is constantly testing our products, using well-defined guidelines and a safe testing ground to perform their research. Their results are shared through a standardized reporting mechanism, and Bugcrowd’s application security engineering team handles the initial triaging and vulnerability validation.

For more information about our bug bounty program and to see the scope of the program, please click big green button!

Check out the bug bounty program

Security @ Atlassian

We believe transparency is core to building trust between Atlassian and our customers. Today’s launch of a public bug bounty program is part of our ongoing effort to build awareness and knowledge around cybersecurity and safe practices. Here are a few additional resources to check-out from the Atlassian Security Team:

  • Atlassian Trust Center – Last year, we launched our new Trust @ Atlassian site to make it easier to find the information you need to trust Atlassian products and cloud services. The website includes detailed information about our security, including how we run our Security Management Program, updated Privacy information, and our Atlassian Transparency Report which provides information about government requests for user data.
  • Cloud Security Alliance STAR submission – Atlassian is one of the only companies to not only publish answers to the CSA STAR questionnaire, but to also provide a detailed explanation for each of the 300+ questions. Atlassian is also a proud member of CSA.
  • ISO27001 Certification – Atlassian has achieved the ISO27001 certification, which is recognized as the premier information security management system (ISMS) standard worldwide.

Why we’re letting 60,000 Bugcrowd security researchers ethically hack us