Atlassian offers up to US$3000 per bug in new bounty program
- 13 July, 2017 10:17
Atlassian founders Mike Cannon-Brookes and Scott Farquhar
Atlassian is set to offer security researchers up to US$3000 ($3906) per bug in its very first bug bounty program to be run through Bugcrowd.
Bugcrowd, a crowdsourced security testing firm, will tap into its community of nearly 60,000 cybersecurity researchers for continuous testing of Atlassian’s collaboration tools.
The testing will begin with Atlassian's JIRA and Confluence cloud products, with plans to expand the scope to additional Atlassian cloud and server products in the months to come.
Financial rewards with be dished out to security researchers for each bug identified, depending on the impact and severity of the vulnerabilities identified on its JIRA and Confluence platforms.
This news follows the integration of Bugcrowd's Crowdcontrol platform and JIRA to improve the application security workflow from start to finish, and the success of Atlassian’s private bug bounty program.
Atlassian expects the partnership with Bugcrowd to reinforce the security of the company's products and strengthen its vulnerability management program.
"The economics of bug bounties are too overwhelming to ignore," Atlassian head of security, Daniel Grzelak, said.
"Our traditional application security practice produces great results… but the breadth and depth of post-implementation assurance provided by the crowd completes the secure development lifecycle. Multiplying the specialisation of a single bounty hunter by the size of the crowd creates a capability that just can't be replicated by individual organisations."
Bugcrowd founder and CEO, Casey Ellis, mentioned that expanding its bug bounty program enables Atlassian to tap into the security researcher community to help keep its products and customers secure.
"Organisations worldwide trust the productivity of their teams to Atlassian," Ellis said.
“By demonstrating its security posture, Atlassian is not only instilling confidence in the security of its products, it’s upholding one of the company's core values: transparency, and demonstrating a position of true leadership when it comes to the security of their customers,” he added.
The launch of the bug bounty program follows the discovery of a vulnerability on a third-party library that affected Atlassian’s HipChat team chat platform.
Atlassian’s chief security officer, Ganesh Krishan, sent an email to users on 25 April, revealing that the company’s security intelligence team had detected an incident affecting the platform, that may have resulted in unauthorised access to some user account information.
The company then prompted a mass password reset for the company’s services not long after.
Atlassian also recently launched a new package of offerings for the enterprise market for easier products and services bundling for partners and customers and automation enhancements to its code management and continuous integration platforms.