I’ve been participating in Atlassian’s bug bounty program on Bugcrowd and have encountered several issues that make the process frustrating for researchers.
Lack of Escalation to the Atlassian Security Team
If a reported vulnerability is considered “minimal” or requires little user interaction, triagers often close it without consulting the Atlassian team. Even when researchers request escalation , bugcrowd would not reach atlassian team and Atlassian team does not provide feedback or respond to comments once report is closed by bugcrowd triagers.
Negative Impact on Researcher Scores
If a researcher insists on escalation, Bugcrowd triagers may penalize their score instead of facilitating communication with Atlassian. This discourages researchers from raising legitimate concerns.
No Direct Contact with Atlassian Security
Unlike Uber on HackerOne, which provides a dedicated email for researchers to reach out with concerns in their policy, Atlassian does not offer any contact method. If researchers attempt to contact bugcrowd support to forward concerns to atlassian team, they refuse to do so.
Bugcrowd Support Doesn’t Help
No matter how much a researcher insists—either before submitting a vulnerability or after—it seems impossible to get Bugcrowd to forward concerns to Atlassian’s security team.
No Clear Policy for Direct Communication
Since reaching out via social media (e.g., Twitter) would be a breach of Bugcrowd policy, researchers have no alternative but to remain unheard. Atlassian should explicitly state an official email or process for researchers to clarify scope and policy concerns.
Atlassian should provide a clear email address in their Bugcrowd policy where researchers can reach out with concerns regarding scope, vulnerability handling, or any other issues. If direct contact isn’t possible, at least an official policy on how to escalate concerns should be documented without going through bugcrowd frustrating process.
Thank you for your valuable feedback and for participating in Atlassian’s bug bounty program. We understand your concerns regarding the communication challenges you’ve faced. I would like to clarify that Atlassian does provide direct contact methods for security researchers, (security@atlassian.com) which are publicly documented. Here are some key resources:
Report a Vulnerability: We have a dedicated page with clear instructions for reporting vulnerabilities on Atlassian products, which can be accessed at Report A Vulnerability | Atlassian.
Marketplace VDP: We have also provided a direct contact email for security researchers to report Marketplace vulnerabilities. You can find detailed instructions on how to reach out to us here: Vulnerability Disclosure Program.
We are committed to ensuring that researchers have a straightforward way to communicate with us. If you have any further questions or need assistance, please feel free to reach out through the provided channels. We look forward to continuing our collaboration with the security researcher community.
First, thank you for keeping the doors open to the bug-hunting community. I know how demanding triage can be.
I’m a full-time bug hunter on Atlassian’s Bugcrowd program, and I’ve been running into the same difficulties many others have described. I enjoy Atlassian products and want to keep helping, yet the current workflow is discouraging / frustrating
Below is the situation as I, and several top hunters I’ve spoken with see it, broken out by the three parties involved.
1 Bugcrowd
Triagers often close reports labeled “minimal” before Atlassian ever sees them
Requests for escalation usually end with the ticket marked Not Applicable
Pressure to move fast Your April to June 2025 transparency report shows 1,081 submissions from 311 testers. I understand why triagers feel the need to keep the queue light, but that speed sometimes leaves meaningful edge-case vulns unheard
1,081 submissions from 311 testers, Heavy remediation queue, Once a bug actually reaches your team, you still have to fix, and ship a safe update. That is real work, and we appreciate it.
I have emailed security@atlassian.com, like you said in the last message from @proton.me account 2 times and haven’t received a reply in over a month.
Could you confirm whether Proton mail is filtered or blocked?
Bug Hunters side
When a report dies in triage, we never learn why the impact was rated Low or Medium, so our future submissions don’t improve
I speak with high-ranking hunters and they tell me to avoid programs with limited feedback because repeated silent closures lead to burnout and fewer findings
Despite the frustration, I want to keep contributing to Atlassian’s security.
What would help all sides :
A brief note on severity for the report, or having an answer if the hunter ask
A brief note on severity or any response when a hunter asks would reduce friction
Shopify’s public HackerOne reports (e.g., at the end of the report hackerone.com/reports/1695604 show one way to share severity context explanation
How can a hunter sharpen future submissions when there’s no insight into why a finding was ultimately scored Low or Medium?
Why : Fewer frustrations → more engaged hunters → better quality reports → greater safety for Atlassian and its customers
Could you confirm whether Proton mail is filtered or blocked?
If you need any help or more information from the Bug hunter of the Atlassian program side you can reach me at o006jce11[at]mozmail[dot]com
Thank you for your time and for the work your team does to keep Atlassian customers safe. I’m eager to adapt my reporting process so I can continue providing useful vulnerabilities.