Learn how Atlassian boosts their security posture by launching a fully managed bug bounty

Security at Atlassian

Collaboration is core to Atlassian, exemplified in everything from its products to the company culture. Teams at more than 107,000 companies, large and small – including Citigroup, eBay, Coca-Cola, Visa, BMW and NASA – rely on Atlassian for project tracking, content creation and sharing, real-time communication and service management products in the cloud.

With collaboration, comes trust. And trust begins with security. At Atlassian, security is baked into the product development lifecycle. Having secure and trustworthy software is of utmost importance to Atlassian’s business and customers. The entire team of security engineers is dedicated to building more secure products. Building and maintaining products that keep their customers safe is a team effort.

Seizing the Opportunity

For a number of years, Atlassian was running its own incentivized vulnerability reporting program. While very successful, the team was finding that it was too hard to manage the sheer number and varying quality of incoming reports.

The global security community is becoming more familiar with the bug bounty model and more creative in finding flaws. New types of systems are emerging, presenting additional opportunity for even more security concerns. Even with a fully dedicated security team, the Atlassian security team wants to invest in building more secure products rather than triaging and validating incoming vulnerability findings. For Atlassian, it became apparent that the balance between improving security and handling incoming vulnerability reports wasn’t quite right – paired with the increased need for quicktime to action – which highlighted the need for managed bug bounty programs.

Program Management Relies on Collaboration

Atlassian believes that collaboration is fundamental to any software or business team’s success, and leveraging the power of the crowd for security testing is a natural extension of this. Moving away from the self-managed model, Atlassian turned to Bugcrowd to leverage its fully managed bug bounty solutions, as an opportunity to offload much of that work and focus on more sensitive areas within their environment.

Atlassian launched private bug bounties with Bugcrowd in November 2016, and in July 2017, launched its first public bug bounty. Implementing a fully managed bug bounty program has helped Atlassian uncover vulnerabilities faster than ever, freeing up their security team to allocate more time to finding anti-patterns and implementing broad mitigations.

Bug Bounty Program Results

With Bugcrowd, provider of crowdsourced security testing, Atlassian’s security team adds tens of thousands external cybersecurity researchers. This highly capable community is constantly testing Atlassian’s products, using well-defined guidelines and a safe testing ground to perform their research. Their results are shared through a standardized reporting platform, and Bugcrowd’s application security engineering team handles the initial triaging and vulnerability validation.

Over the course of their programs, they have been able to maintain strong engagement across targets.

Working with Bugcrowd – Measuring Results

Bugcrowd architects security expertise into the design, support and management of every program. Atlassian levered this experience while tapping the world’s best security researcher community to help keep their products and customers secure. By demonstrating their security posture, Atlassian is not only instilling confidence in the security of their products, they’re upholding one of the company’s core values: Openness, and demonstrating a position of true leadership when it comes to the security of their customers.

Atlassian’s success is indicative of their commitment to product security and their bug bounty program has enabled them to measure their application security program in a way they were previously unable to. What does the future hold?