Announcing the Marketplace Bug Bounty Blitz

Update: April 17, 2020 - We are closing the Blitz participation request on April 22nd to give us ample time to finalize the partners who’ve already signed up and get everything setup to start the blitz on time

Update: April 2, 2020 - Clarified the question about existing programs getting on-boarded to the blitz automatically. Covered under FAQ

Update: March 23, 2020 - Clarified some concerns over ongoing bug bounty program vs blitz. They are covered under the FAQ

Update: March 20, 2020 - Added a FAQ section in the end. We will continue to expand the FAQ as we get more questions

Hello All,

At Atlassian, we believe that a bug bounty program is one of the most powerful post-production tools you can implement to help detect vulnerabilities in your applications and services. Crowdsourcing vulnerability discovery augments the skills of your team by providing access to a skilled pool of security researchers.

And, time and again, with the current bug bounty programs (of some of our marketplace partners) running on Bugcrowd, we have found out that bug bounty programs provide a great ROI (getting an app reviewed for security vulnerabilities in a short time by crowdsourcing researchers and only paying for valid findings as compared to paying large sums of money to a consulting company and not knowing if we are going to get any valid findings or not) and are extremely helpful in increasing the overall security posture of our marketplace apps.

To that end, we are super excited to announce that Atlassian is going to conduct a short-term Bug Bounty Blitz on Bugcrowd ( initially running for 6 weeks, but has the potential to run longer if we see sustained success ) for all interested marketplace partners ( every partner is eligible to participate ) where in, Atlassian will not only cover the platform costs, but also cover the rewards for any valid and accepted security vulnerability submitted for the apps listed in scope of this event. On top of these rewards, Atlassian will also give out bonuses to further incentivize security researchers to find more impactful vulnerabilities in our marketplace apps.

It is important to note that this blitz event is different from your ongoing bug bounty program on Bugcrowd (if you have one already) and it will only include cloud apps . For this blitz event specifically, we will create new programs for all participating marketplace partners listing only the cloud apps in scope. To reiterate, Atlassian will cover the platform + reward + bonus costs for this blitz event only and it will only include cloud apps.

Beginning in July, if you are a Platinum, Gold, or Silver partner, participation in the paid Bug Bounty Program is a requirement. However, we welcome all Marketplace partners who would like to participate in this blitz event. So, we highly encourage and recommend you to join this event and leverage the fact that Atlassian is covering all costs associated with it. And, in turn, you get to learn about security vulnerabilities affecting your cloud apps.

Also launching in summer 2020, is app-level badging to indicate which apps are in the paid Bug Bounty Program. This is how we will differentiate your apps to customers and Solution Partners in the Marketplace. We aim to send a strong signal to them that these apps are doing the right thing from a security standpoint.

What do I get by joining this blitz?

  • You will get all your cloud apps reviewed for security vulnerabilities, at no additional cost to you, during the course of the blitz.

What are my expectations?

In order to join the marketplace bounty blitz event, there are a few expectations we have from our marketplace partners. Marketplace Partners joining the program will:

  • Agree to the Bugcrowd T&C.
  • Agree to triage all reported issues within 14 days of the issue being reported. This means that all reports will be approved, or declined within 14 days of it being reported (not necessarily fixed within that time).
  • Agree to fix all reported issues within the SLA’s, outlined in the marketplace security requirements document.
  • Agree to join the existing Atlassian Marketplace Bug Bounty Program for a minimum of 12 months once the blitz event has been completed.
  • Agree to complete your blitz program brief by Apr 30, 2020. The program brief should only include your cloud apps. If there is a particular focus area (such as a particular sensitive functionality within an app or a class of vulnerability) in your cloud apps that you would like the researchers to concentrate on, we can include these as well. Atlassian will reward bonuses on any vulnerabilities identified in these focus areas.
  • Agree to dedicate a point of contact person during the course of blitz who will help answer any questions from the researchers or Atlassian.

We understand that there may be a backlog of issues that might need to be addressed after the blitz, and so we are giving all new joiners of the Atlassian Marketplace Bug Bounty Program a 3-month window to catch up with that backlog, and launch their ongoing program, after the blitz has been completed.

How do I sign up?

  • You can fill out this form to request joining the blitz event. Somebody from Atlassian will follow up with you after that. Please do this by April 22nd as we will stop taking requests after that date.

Expectations from Atlassian

  • We will communicate the rewards tier and bonuses with you once you agree to join the blitz.
  • We will pay out the rewards and bonuses for all accepted vulnerabilities during the course of the blitz.
  • We will run the blitz from May 26, 2020 - Jun 30, 2020. Please note that these dates are tentative and subject to change.

Please note that this is the first time we are doing such an event and figuring out things on the fly so please bear with us. If you have any questions/concerns about this blitz event, please feel free to post them here in this thread and we will try to answer them as they come.

FAQ

Do we need to raise a ticket for each app separately?
A - If you can create a single ticket and list all your cloud apps in scope there, that would be preferred.

If you already have a regular ongoing bug bounty program on Bugcrowd, will that program go dormant or will both programs (regular and blitz) run concurrently?
A - We will get all the researchers who are participating in your regular program on-boarded onto the blitz program. The blitz program will have incentives (bonuses) for them to report to the blitz program(we’re still thinking about what these will be, more information to come). These incentives will clearly be in the researchers best interest, and so they will want to report to the blitz over your current program.

In the event that a researcher reports a vulnerability for one of your cloud apps to your ongoing program, rather than the blitz program, it would also be in your best interest to close the submission and ask them to report it in your blitz program (and that’s totally fine to do whilst the blitz is on). It is important to note here that the blitz doesn’t cover server apps, so you would still triage them as per usual in your regular program. Just direct the cloud submissions to the blitz program.

What if you’re currently in the middle of applying to the regular bug bounty program?
A - To join the blitz program, you have to have a completely ready to go ongoing program (that has either started, or can be started at any time). So this means that you should keep going with getting on-boarded with the ongoing regular bug bounty program by paying the order form and completing the bounty brief.

The blitz may change when you choose to go live. The two logical options are that you would choose to go live with your server apps (because they’re not going to be in scope for the blitz program), or you would choose to delay going live until after the blitz.

We anticipate most marketplace partners will fall into one of these two categories.

How do I go about joining the ongoing bounty program, so that I can be part of the blitz?
A - As part of the onboarding ticket to join the blitz, we will get you to complete the setup for the ongoing program - so just raise a ticket here , and we will get that ball rolling for you, so that you’re ready to join the blitz when it starts.

If marketplace vendors already have an ongoing program on Bugcrowd, should they still send in a request by filling the form to join the blitz?
A - The answer is no. It is not required. For all existing vendors on Bugcrowd, we will automatically get them enrolled into the Blitz and create a Blitz program for them which would be different from their ongoing program. Having said that, for whatever reason, if a vendor doesn’t want to get a free pentest by joining the blitz, please do raise a ticket and mention that.

19 Likes

@AnshumanBhartiya -
This sounds great. We’re already participating in the Bugcrowd program and it indeed has been very helpful.

If we participate in the Blitz:

  1. Does the regular program go dormant or do both programs run concurrently?
  2. If concurrently - will BugCrowd triage submissions taking into account both programs (assuming the same submission is reported in both programs)?

Cheers,
Adam

3 Likes

Similar to what @adam asked - what if you’re currently in the middle of applying to the bug bounty program?

@jlau2 does participation in the blitz fulfill the bug bounty program requirement in the new marketplace partner program?

3 Likes

Do we need to raise a ticket for each app separately?

Thanks,
Jack

Hi @daniel,

Yes, participation fulfills the requirement!

Please note this stipulation above:
“Agree to join the existing Atlassian Marketplace Bug Bounty Program for a minimum of 12 months once the blitz event has been completed.”

Hi @adam, we have a meeting with Bugcrowd next week. I will clarify this for you and get back asap.

Hi @jack, ideally if you can create a single ticket and list all your cloud apps there, that would be brilliant. Thanks!

Hi @adam,

Just to give you some insight in to how I’m thinking about the blitz for existing program participants:

We will get all the researchers who are participating in your program onboarded to the blitz program.
The blitz program will have incentives for them to report to the blitz program(we’re still thinking about what these will be, more information to come). These incentives will clearly be in the researchers best interest, and so they will want to report to the blitz over your current program.

In the event that a researcher reports a vulnerability for one of your cloud apps to your ongoing program, rather than the blitz program, it would also be in your best interest to close the submission and ask them to report it in your blitz program (and that’s totally fine to do whilst the blitz is on). The blitz doesn’t cover server apps, so you would still triage them as per usual.

As @AnshumanBhartiya eluded to - we’re still very early in organising the blitz (we’re really a week plus or minus a few days) into really moving forward with this idea. We wanted to get the word out to vendors quickly, so that they can plan this work in their roadmaps, and so we can get a sense of just how many vendors are going to want to sign up to this program (so we can organise ourselves for that kind of scale).

I hope that helps answer the questions!
Thanks,
Matt

4 Likes

@danielwester - To join the blitz program, you have to have a completely ready to go ongoing program (that has either started, or can be started at any time). So this means that you should keep going with getting onboarded with the ongoing bounty program.

For clarification, to join the blitz program our marketplace partners will have to have completed the process for joining the ongoing program - that means completing and paying the order form, as well as completing the bounty brief.

The blitz may change when you choose to go live. The two logical options are that you would choose to go live with your server apps (because they’re not going to be in scope for the blitz program), or you would choose to delay going live until after the blitz. I anticipate most marketplace partners will fall into one of these two categories.

For partners who already have an ongoing program, as I replied earlier, the researchers in your programs will be added to the blitz program as well, and the blitz program will have incentives that the regular programs do not have, which will entice researchers into participating in your blitz program, rather than your ongoing program.

If a researcher does report an issue in a cloud app to your ongoing program, it would also logically be in your best interest to point the researcher to the blitz program, and close the issue in your ongoing program accordingly. This is also a totally fine and reasonable thing to do.

I hope that helps answer the questions, and give some more clarity!
Thanks,
Matt

5 Likes

Another clarification for a question I’ve had a couple of times from various places:

Q: How do I go about joining the ongoing bounty program, so that I can be part of the blitz?
A: As part of the onboarding ticket to join the blitz, we will get you to complete the setup for the ongoing program - so just raise a ticket here, and we will get that ball rolling for you, so that you’re ready to join the blitz when it starts.