Frustrations with Atlassian’s Bug Bounty Program on Bugcrowd

I’ve been participating in Atlassian’s bug bounty program on Bugcrowd and have encountered several issues that make the process frustrating for researchers.

  1. Lack of Escalation to the Atlassian Security Team
    If a reported vulnerability is considered “minimal” or requires little user interaction, triagers often close it without consulting the Atlassian team. Even when researchers request escalation , bugcrowd would not reach atlassian team and Atlassian team does not provide feedback or respond to comments once report is closed by bugcrowd triagers.

  2. Negative Impact on Researcher Scores
    If a researcher insists on escalation, Bugcrowd triagers may penalize their score instead of facilitating communication with Atlassian. This discourages researchers from raising legitimate concerns.

  3. No Direct Contact with Atlassian Security
    Unlike Uber on HackerOne, which provides a dedicated email for researchers to reach out with concerns in their policy, Atlassian does not offer any contact method. If researchers attempt to contact bugcrowd support to forward concerns to atlassian team, they refuse to do so.

  4. Bugcrowd Support Doesn’t Help
    No matter how much a researcher insists—either before submitting a vulnerability or after—it seems impossible to get Bugcrowd to forward concerns to Atlassian’s security team.

  5. No Clear Policy for Direct Communication
    Since reaching out via social media (e.g., Twitter) would be a breach of Bugcrowd policy, researchers have no alternative but to remain unheard. Atlassian should explicitly state an official email or process for researchers to clarify scope and policy concerns.

Atlassian should provide a clear email address in their Bugcrowd policy where researchers can reach out with concerns regarding scope, vulnerability handling, or any other issues. If direct contact isn’t possible, at least an official policy on how to escalate concerns should be documented without going through bugcrowd frustrating process.

1 Like

Thank you for your valuable feedback and for participating in Atlassian’s bug bounty program. We understand your concerns regarding the communication challenges you’ve faced. I would like to clarify that Atlassian does provide direct contact methods for security researchers, (security@atlassian.com) which are publicly documented. Here are some key resources:

  1. Report a Vulnerability: We have a dedicated page with clear instructions for reporting vulnerabilities on Atlassian products, which can be accessed at Report A Vulnerability | Atlassian.
  2. Marketplace VDP: We have also provided a direct contact email for security researchers to report Marketplace vulnerabilities. You can find detailed instructions on how to reach out to us here: Vulnerability Disclosure Program.

We are committed to ensuring that researchers have a straightforward way to communicate with us. If you have any further questions or need assistance, please feel free to reach out through the provided channels. We look forward to continuing our collaboration with the security researcher community.

Best regards,

Srivathsav
Atlassian Product Security Team

1 Like