We were notified by our TPM that the security team found us to be in violation of the requirements to maintain our trust signals. The reason for this is because we have 2 entries in our Bugcrowd scope definition that don’t match the MPAC url format:
- Atlas Authority’s AWS and Heroku accounts
We were encouraged to add these to the scope when we first joined the program,
and have these targets in our Bugcrowd program since inception (for over a year). We firmly believe that having researchers check our main site where customers look for MPAC related information, and our AWS and Heroku configs where we run our apps is in the interest of protecting customers and their data.
I would like to understand why the security team has chosen to:
- Switch the policies on what can be in scope for a Bugcrowd program
- Done so without any notice to Marketplace Partners
- Justify how this improves security for customers and their data