Invalidating trust signals for having non MPAC apps on Bugcrowd

We were notified by our TPM that the security team found us to be in violation of the requirements to maintain our trust signals. The reason for this is because we have 2 entries in our Bugcrowd scope definition that don’t match the MPAC url format:

  1. Atlas Authority’s AWS and Heroku accounts

We were encouraged to add these to the scope when we first joined the program,
and have these targets in our Bugcrowd program since inception (for over a year). We firmly believe that having researchers check our main site where customers look for MPAC related information, and our AWS and Heroku configs where we run our apps is in the interest of protecting customers and their data.

I would like to understand why the security team has chosen to:

  1. Switch the policies on what can be in scope for a Bugcrowd program
  2. Done so without any notice to Marketplace Partners
  3. Justify how this improves security for customers and their data



Hi @boris ,

We currently do not restrict partners from listing non-marketplace targets in the bug bounty program scope. To clarify, partners can list targets that are other than Marketplace apps and it does not violate any badge requirements. However, if you want to list a Marketplace app, it should be in naming convention as defined in badge requirements to receive a Cloud Security Participant badge. We would definitely notify partners in case of any badge requirement changes.

I will follow up internally and get back to you with more context on any violations in your program.

Srivathsav Gandrathi
Ecosystem Security Team

1 Like