Australia’s best known tech startup Atlassian has launched its first public bug bounty with Australia-founded crowdsourced security testing platform Bugcrowd.
Atlassian is now offering researchers up to USD $3,000 for each reported bug affecting the company’s Java-based products, JIRA, an issue tracker, and Confluence, its wiki product.
"The economics of bug bounties are too overwhelming to ignore," said Daniel Grzelak, head of security for Atlassian.
Atlassian is approaching the public bug bounty with some experience in the field.
The company has been running a private vulnerability disclosure program for several years with its own security team through its JIRA Service Desk product, which allows its customers to receive feedback, including bug reports, from users.
While Atlassian has used it to receive reports for bugs in its own products, it has also helped customers, such as air ticket comparison site Skyscanner, receive bug reports from staff members. Atlassian’s product manages the to and fro between employees about bugs but still left the job of ‘triaging’ or figuring out at the impact of a bug to the customer.
The most widely known bug bounty is run by Google, which has paid millions to researchers over the past five years and handles all aspects of the program, from receiving reports from the public to sifting through bug reports, validating them and eventually paying researchers. Facebook and Microsoft also run their own bug bounties, but few other organizations have the scale to do the same on their own.
Still, vulnerability disclosure programs and bug bounty payouts are gaining acceptance from more organizations, particularly in the US, through third-party providers such as Bugcrowd, HackerOne, and Synack.
The latter two firms are running the US Department of Defense bug bounty, which offers it an alternative procurement method, where.
The providers also give customers access to a broader network of ethical hackers. Bugcrowd gives Atlassian access to 60,000 ethical hackers who’ve registered with Bugcrowd, according to Atlassian.
The partnership with Bugcrowd isn’t Atlassian’s first experience with crowdsourcing security testing. The company, which listed on the Nasdaq in 2015 and is valued at $8bn, earlier this year acquired project collaboration software firm Trello for $425m, which had a public bounty in place at the time with rival bug bounty platform HackerOne.
Australian organizations haven’t gone public with bug bounty programs but Bugcrowd founder and CEO Casey Ellis told CSO Australia that it has seen a steady increase in adoption by local organizations though private bounties.
"We've seen strong interest and adoption in the ANZ market over the past year. This includes a swath of adoption of private programs which adopt the same economic and resourcing model as the one Atlassian just launch but, as the name suggests, on a private, invitation-only basis," said Casey.
Atlassian says it will eventually replace its private disclosure program, which currently covers 14 product lines, with the public bounty.