BugBounty program funds?


On 4th, March we transferred some funds to the program. As per requested by the Bugcrowd (the company running on behalf the program) we sent the money to the Silicon Valley Bank.

We use a bank where all transactions are done almost in real time, so it takes few seconds to receive the money and our bank confirms the money has been sent and received.

After almost a week the status of our transaction (Program Balance at Bugcrowd) is still pending…

I’ve read some news alerting about SVB (Silicon Valley Bank). It seems like this bank has ran into some severe cash problems.

Is safe for partners transfer funds to the Atlassian’s Bug Bounty program?

Best regards,


Edit: there is evidence in replies to this thread that we were forced to pay 5X more than other vendors. So do read on after Remi’s reply in which he assumes there are no secret deals…

Hah damn :frowning:

Yep can confirm that our deposit also went into SVB. One would assume that either BugCrowd or Atlassian would insure our deposits if the news turns out that money is now gone. I am not f*kn paying that again.

The whole security badge bug bounty program is some kind of extortion; like pay-to-play levels of messed up that prevent any possibility of a fair and equal competitive substrate on which the marketplace can operate.

I’ve brought up the issue a few times only to fall on deaf ears (or be actively ghosted for months). Deposit thresholds are literally determined via secret deals because there is no public formula. And ultimately if your apps are secure you’re simply throwing money into a black hole while enduring 100s of days of bureaucracy to go from unbadged to “Cloud Security Participant” and finally “Cloud Fortified”.

It took us 434 days and literally nothing about the security, support or performance of the apps changed from start to end. We’ve paid out a grand total of 4.7% of the initial secret deposit. And all those bounties were discovered in the first 24 hours; nothing since. The icing on this shit cake will be finding out that the other 95.3% of our deposit is now gone. Stay tuned.

Complete waste of time and money that ultimately cost us competitive advantage and untold amounts of unrealised revenue in the marketplace.

As you may or may not know, I’m not the type of person to hold back punches when it comes to criticising Atlassian.

But with the Bug Bounty Program, I respectfully have to disagree with the sentiment voiced by @nathanwaters.

Atlassian is paying Bugcrowd for the program and, apart from some initial hiccups, the program is running very well. You are only responsible for filling up your bug bounty reward pool. We transferred $5.000 dollar initially and have been topping it up on a case-by-case basis ever since. At this point, there is 1.700 in our reward pool. It has been as low as $300, which has never been an issue. There is no secret deal. There are no deposit thresholds.

We’ve been releasing new apps and with self-service, we were able to go from unbadged to Cloud Security Participant to Cloud Fortified within 4-6 weeks.

It is true that most of the reports are submitted in the first few days of new programs. But you can actively invite researchers through the program, for instance when you have released a new feature. We’ve had continuous vulnerability reports.

I understand that being required to participate in a program may feel like extortion, but in the end, it is the prerogative of Atlassian to decide on the details of their programs. Contrary to the DC testing requirements, Atlassian actually put their money where their mouth is and are actively involved & paying for this program.

Participating in a bug bounty program is an industry best practice. It is one of the tools in the box to improve security. And it has been successful at that as well with regard to Atlassian apps, as there have already been many vulnerabilities discovered (and fixed). By any measurement, this is the best performing security program within the Atlassian Ecosystem. It is definitely not a waste of money.

Again, I’m not known for siding with Atlassian, but in this case you are not doing them or the bug bounty program right with this rant.


Dang it @Remie - that makes twice in a week that we agree…

I will say though that Atlassian is also investing into the DC testing requirements - the testing framework is being maintained.


You are right. What I meant was that running the data center testing incurs costs for Marketplace Partners. It would have been classier of Atlassian to create a testing framework that would run on Atlassian infrastructure, given that they made this a requirement.


There’s a reasonable chance that BugCrowd’s deposits at SVB were insured by the FDIC (U.S. government):

Hopefully you’ll learn more this coming week.

I would assume that bugcrowd has deposited more than 250K

Sorry for hijacking the thread Pablo lol

Remi, you stating your deposit figures proves my point mate: our required deposit was $15,000.

That’s down from the initial $1,810,000 they wanted, followed by a second deal that wanted $25,000-$35,000 or $258,000-$362,000 (lacked clarification). Those figures, ticket numbers and quotes are all documented below.

So why were we screwed and what other deals are vendors getting? I asked multiple times to know what deals other comparable vendors with large app portfolios were getting. Seemed only fair to pay the same they did. I specifically asked what deal you were getting and did not get an answer.

“Waste of money” = we’ve paid out $700 of $15k since these bounties went live in Sep 2022.
“Waste of time” = the 434 days it took dealing with the bureaucracy of it all (100s of hours in total).
Combined = unfair deposit requirement compared to other vendors and the untold loss in clicks (thus revenue) while waiting an unfair amount of time for those badges to be applied.

Regarding the anti-competitiveness this whole program brings to the marketplace: I’m not saying bug bounties are bad. I’m saying it’s financial inequality (as in unequal opportunity) for new vendors that only serves to entrench the older vendors. Unequal opportunity when it comes to install and review count is one thing. It’s another to have unequal opportunity purely on the basis of ability to pay.

$5,000 is nothing to you and I at this stage of our businesses (and good god I don’t want to be here as long as you have - my ambitions go far beyond selling enterprise widgets) but in the early days I believe it took me over two years before I saw that much cumulative revenue.

So the problem is you have a pay-to-play incentive which boosts entrenched vendor apps with giant “THIS APP IS SECURE AND GOOD” badges while any new vendors get royally f*cked in the search results.

The marketplace should be structured in a way that sees the best products organically rise to the top. It’s not setup that way in any shape or form.

It’s in both yours and my best business interests to exclude new vendors and adopt any and all of these dumb Atlassian programs that build an artificial moat around threats from any new competitors. But it’s also not right.

I know you’ve complained about the unfairness of older vendors getting to keep all of their obviously fake reviews. The security badge program is no different to that. It’s yet another policy (of many I can document) that creates an anti-competitive marketplace.

Apps with more reviews and more installs in search results = more clicks = more installs = more $.
Apps with giant “THIS APP IS SECURE AND GOOD” badges = more clicks = more installs = more $.

I don’t know how you can possibly go one way with your opinion on reviews and the other with your opinion on security badges. The only explanation I can think of is that you forget how much $5k is and thus can’t empathise with new vendors.

If I were making the decisions on the marketplace I’d remove badges, installs and reviews from search results. Keep them in the individual app listing but make the search results view an equal playing field with relevant results randomised. Obviously the old guard would fight tooth and nail to prevent this because they know full well these things give them unfair competitive advantage.

None of those figures are genuine indicators anyway of whether one app is better than the other. Most installs = oldest app. Most reviews = oldest app with fake reviews they got to keep before Atlassian started enforcing it. Security badges = vendors who can afford it.

I’d also radically change the homepage since it’s mostly a static view that promotes the same old apps.

Part Deuce: The Details

You want the full badge journey with exact dates, figures, quotes and ticket numbers. Here you go…

All of this is documented in emails and tickets if anyone at Atlassian is intrigued to investigate.

When we first enquired on 16th December 2021 (AMKTHELP-41562) the wording of the program quite literally said the bug bounty deposit was “$5000 PER APP” (a wayback link because they later changed the wording).

At the time we had 362 apps though I explained most of these are built via a monorepo so the total repos across the portfolio is very small (thus any security risks were limited). Even today with 403 apps we only have 14 repos for those frontends. With the exception of our Forge apps they’re all static frontend apps, storing data exclusively inside Confluence/Jira with authentication set to “none” in the descriptor. We don’t store customer’s secret keys to external tools like some vendors do.

I knew from the beginning the apps were performant and probably secure. The only bounties we paid out ($700 total) in the first 24 hours were insignificant XSS oversights.

I enquired about the program, clearly explaining the situation and was told this exact quote:

To participate in the bug bounty program, you will be requested to fund a minimum of $5,000 USD per app.

So they wanted a $1,810,000 deposit (362 * $5k).

I said that was dumb and got back this offer from the actual PM this time, again an exact quote:

We could potentially ask Bugcrowd to break your apps into various programs (maybe 5-7?), and then have a starting reward pool of $5/k per program.

So depending on how that’s interpreted (they never clarified despite questions) they either wanted $25,000 to $35,000 or $258,000 to $362,000

I explained that this second offer was still bloody ridiculous, went on a bit of a rant, said I want all my apps to go into a single $5000 deposit pool. Asked if that could happen, and was then ghosted by the project manager for the Cloud Security program. That ticket alone dragged on from 16th December 2021 until 3rd March 2022. Never got a reply. Look up AMKTHELP-41562 for Atlassian’s who want to verify this one.

13th June 2022 I figured f*ck it, I’ll try again and just split the apps into three distinct pools with $5,000 each (ECOHELP-368, ECOHELP-369, ECOHELP-370). That worked.

I did ask at some point what the lowest I could go on the deposit pool was and the BugCrowd rep told me, quote:

This is the minimum for all Atlassian engagements on the Bugcrowd platform. Since we will be launching 3 separate engagements the total would be 15,000USD.

Those bounties didn’t go live until 23rd September 2022. That is 102 days from first submission or 281 days from the first enquiry about joining the program.

We then immediately applied for Cloud Fortified on 1st November 2022 (ECOHELP-6358) which was also a bureaucratic nightmare. Those badges were not applied until 23rd February 2023: 114 days later.

So from first unbadged contact to Cloud Fortified badges it was 434 days exactly.

And like I said, apart from fixing two minor XSS oversights, nothing about the security or performance of the apps was changed in those 434 days. They would have qualified for Cloud Fortified status from the moment they went live on the marketplace. I’m sure that’s the case with most new apps on the marketplace (particularly Forge apps or any with authentication: none in the descriptor) which further suggests this program is virtue signalling at best and anti-competitive at worst.

Again, bug bounties are useful and important. They helped us catch some minor things. But if I were making the policy and the goal was actually to secure apps on the marketplace: I’d start by removing the badges from search results, and then enrol ALL apps by default into bounties.

Keep it simple: one pool per vendor regardless of app count. If they voluntarily want to add more pools, so be it. Charge vendors with higher revenues a pool premium and use that to subsidise all other vendors. Smaller vendors would be assigned small researcher pools and perhaps lower bounty payouts. As soon as smaller vendors have the revenues to cover their own deposit pool, they do so.

Oh yes, of course. :person_facepalming:

@nathanwaters I’m sorry, but I really did not have the same experience as you have.

We applied in October 2020 and were still small vendor, not even silver partner (YTD revenue in Oct’22 was 80K). So we also objected the 5K per app as we could not afford it at the time. I even had to increase the limit of our credit card as it was set to $2.500.

For completeness sake, I looked it up. Our initial deposit was $3,000 and we went live with 8 apps (at that point) and 100 researchers. In the ticket, Atlassian does suggest to have a pool of $15.000 but they did not block us from setting our own terms with regard to the reward pool. It was nothing near the numbers you are listing. Based on your experience, it would have cost us $40.000.

I don’t know why you had a different experience. Maybe they had some bad experiences between Oct 2020 and Dec 2021 with vendors not being able to pay researchers properly because of the reward pool. What I do know, on an interpersonal level, is that I personally would not be very inclined to be lenient towards you given the way you treat people. Even in this thread you cannot refrain yourself from making personal insults at me, and there is nothing at stake here nor did I do anything to provoke you. So I guess you reap what you sow?

Anyway, large vendors will always have benefit over smaller ones. Whether this is through these types of programs, or because they have the funds to sponsor events, attend ACE’s meetings around the world or have access to Atlassian (incl. through the Ecosystem Council).

There are thousands of apps in the Atlassian Marketplace. It makes sense for Atlassian to help customers navigate this, including the ability to filter on trust signals. It also makes sense to sort on these trust signals. And to be fair: in all likelihood the larger vendors are better at security, reliability and availability. It is not an arbitrary metric.

The only personal jab at you was that you’re mad to have endured the bullshit on this marketplace for so long (and that I hope the same doesn’t happen to me). Apologies if anything else came across as an attack. It’s hard to maintain a sense of decorum when this is not an isolated incident in being treated unfairly on this marketplace.

Ditto with the forums. This thread is not the first occasion in which I make a claim about something absurd happening to us like “there are secret deals for bug bounty deposits and we were treated unfairly”. Someone responds with “there is no secret deal and no deposit thresholds” or something similar that tosses aside my claims.

Their post gets a bunch of likes. I then write a huge post with a detailed breakdown of dates and figures to backup the claim. Most people don’t bother reading and just make a judgement based on the perceived tone instead of the content.

I’ve been claiming the bug bounty program was unfair and based upon secret deals for well over a year now. My claims were laughed at and ignored. Plenty of evidence in this thread now that I was 100% correct.

Anyway I’ll go back to ignoring the forums again and jumping through more unfair hoops. Might come back and rant again if it turns out our remaining $14,300 deposit is gone.

Interesting to read your experience, Nathan. We are also a small vendor in the Marketplace and try to not join Marketplace programs until they are fully standardized (cloud security, partner tier, cloud fortified etc.) cause it takes so much time when Atlassian is still trying to figure out the fine details after a program launch. Unlike bigger vendors, we don’t have resources to be dragged in such process.

We are starting with bug bounty soon and new pool threshold is $3000 per vendor and not app. This was clearly communicated to us. We haven’t transferred that amount to Bug Crowd yet, fortunately, otherwise we would most likely have lost the money as experienced by Pablo.

Just a few hours ago, I’ve received a message from Bugcrowd confirming that our funds has been performed and I’ve also checked that they are already in our program balance.

However, I would suggest to wait for some days before transfer any funds, until this scenario become clearer. They have good intentions and seem professionals and keep the calm, but I do not know whether this is like the last music notes before the Titanic sank down.

1 Like

Thanks for sharing. That’s what I would have expected to pay as a starting deposit. More evidence that the program is unfair and based upon secret deals that change from vendor to vendor.

Hell, the current documentation currently says “You will be requested to fund a minimum of $5,000 USD to cover the program bounty pool”. What sort of cartel clown circus is this?

btw BugCrowd founder confirmed that deposits should be safe: https://twitter.com/caseyjohnellis/status/1635057199734202370

@PabloBeltran and others on this thread who have expressed concerns over the status of payments to Silicon Valley Bank for the Bug Bounty program. We are following up internally and will provide an update once we have one. Some of the situation has reduced in severity over the weekend, so it’s possible this is no longer an issue but we will still be checking on it.

Please let me know if your payment is still showing as pending as well.


HI @amardesich ,

The payment was processed by BugCrowd on Sunday and the funds are already in our prgram balance. So everything seems to be ok for now.

Best regards,

1 Like

@PabloBeltran and any others who experienced an issue or has concerns over payment processing, our team who works with Bug Crowd in support of the Bug Bounty program has confirmed with them they are operating business as usual and as of Monday had no operational impacts. Here is a public statement from them for reference.

If you experience any further issues, please let us know and we will make sure we escalate accordingly.