Atlassian teams up with Bugcrowd for its first bug bounty

Australia’s best known tech startup Atlassian has launched its first public bug bounty with Australia-founded crowdsourced security testing platform Bugcrowd.

Atlassian is now offering researchers up to USD $3,000 for each reported bug affecting the company’s Java-based products, JIRA, an issue tracker, and Confluence, its wiki product. 

"The economics of bug bounties are too overwhelming to ignore," said Daniel Grzelak, head of security for Atlassian.

Atlassian is approaching the public bug bounty with some experience in the field.

The company has been running a private vulnerability disclosure program for several years with its own security team through its JIRA Service Desk product, which allows its customers to receive feedback, including bug reports, from users. 

While Atlassian has used it to receive reports for bugs in its own products, it has also helped customers, such as air ticket comparison site Skyscanner, receive bug reports from staff members. Atlassian’s product manages the to and fro between employees about bugs but still left the job of ‘triaging’ or figuring out at the impact of a bug to the customer.

The most widely known bug bounty is run by Google, which has paid millions to researchers over the past five years and handles all aspects of the program, from receiving reports from the public to sifting through bug reports, validating them and eventually paying researchers. Facebook and Microsoft also run their own bug bounties, but few other organizations have the scale to do the same on their own.

Still, vulnerability disclosure programs and bug bounty payouts are gaining acceptance from more organizations, particularly in the US, through third-party providers such as Bugcrowd, HackerOne, and Synack. 

The latter two firms are running the US Department of Defense bug bounty, which offers it an alternative procurement method, where. 

The providers also give customers access to a broader network of ethical hackers. Bugcrowd gives Atlassian access to 60,000 ethical hackers who’ve registered with Bugcrowd, according to Atlassian. 

The partnership with Bugcrowd isn’t Atlassian’s first experience with crowdsourcing security testing. The company, which listed on the Nasdaq in 2015 and is valued at $8bn, earlier this year acquired project collaboration software firm Trello for $425m, which had a public bounty in place at the time with rival bug bounty platform HackerOne. 

Australian organizations haven’t gone public with bug bounty programs but Bugcrowd founder and CEO Casey Ellis told CSO Australia that it has seen a steady increase in adoption by local organizations though private bounties.  

"We've seen strong interest and adoption in the ANZ market over the past year. This includes a swath of adoption of private programs which adopt the same economic and resourcing model as the one Atlassian just launch but, as the name suggests, on a private, invitation-only basis," said Casey. 

Atlassian says it will eventually replace its private disclosure program, which currently covers 14 product lines, with the public bounty.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags Googlecyber securityatlassianWikiBugcrowdBug bountyJIRAsecurity bugsUS Department of Defense (DoD)

More about ANZAtlassianAustraliaCSOFacebookGoogleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts