I’ve been participating in Atlassian’s bug bounty program on Bugcrowd and have encountered several issues that make the process frustrating for researchers.
-
Lack of Escalation to the Atlassian Security Team
If a reported vulnerability is considered “minimal” or requires little user interaction, triagers often close it without consulting the Atlassian team. Even when researchers request escalation , bugcrowd would not reach atlassian team and Atlassian team does not provide feedback or respond to comments once report is closed by bugcrowd triagers. -
Negative Impact on Researcher Scores
If a researcher insists on escalation, Bugcrowd triagers may penalize their score instead of facilitating communication with Atlassian. This discourages researchers from raising legitimate concerns. -
No Direct Contact with Atlassian Security
Unlike Uber on HackerOne, which provides a dedicated email for researchers to reach out with concerns in their policy, Atlassian does not offer any contact method. If researchers attempt to contact bugcrowd support to forward concerns to atlassian team, they refuse to do so. -
Bugcrowd Support Doesn’t Help
No matter how much a researcher insists—either before submitting a vulnerability or after—it seems impossible to get Bugcrowd to forward concerns to Atlassian’s security team. -
No Clear Policy for Direct Communication
Since reaching out via social media (e.g., Twitter) would be a breach of Bugcrowd policy, researchers have no alternative but to remain unheard. Atlassian should explicitly state an official email or process for researchers to clarify scope and policy concerns.
Atlassian should provide a clear email address in their Bugcrowd policy where researchers can reach out with concerns regarding scope, vulnerability handling, or any other issues. If direct contact isn’t possible, at least an official policy on how to escalate concerns should be documented without going through bugcrowd frustrating process.