Ok, so it seems like Atlassian has been doing a bit of implied reasoning here.
They made changes to the Bug Bounty Program and communicated those changes separately (https://developer.atlassian.com/platform/marketplace/bug-bounty-going-public/)
That change requires all Bug Bounty programs that are paid for by Atlassian to go public:
- By June 30th, 2026: Program must be fully public or scheduled to go public with Bugcrowd.
This change is mandator for all Atlassian managed Bug Bounty programs:
No exceptions policy:
Unfortunately there are no exceptions and all Atlassian managed marketplace bug bounty programs must be public or actively working toward transitioning to a public program.
With the most important aspect of the change being:
Enforcement actions:
If you are not in the process of going public by the compliance deadline, Atlassian is entitled to pause and deactivate your bug bounty program.
So basically, the change to the Bug Bounty program requires you to go public, or your Atlassian managed Bug Bounty program will be deactivated.
From that, it logically follows that you no longer meet the requirement of having a Paid Bug Bounty Program participation and thus not meeting the criteria for the Marketplace Partner program and thus loosing your badge.
All of this is implied logic.
Atlassian never clearly communicated specifically that Marketplace Partner Program participants are required to migrate to a public bug bounty program. Which is why there is now confusion and why partners will need to scramble.
Once again, Atlassian proves why siloed autonomous disconnected teams that do not communicate which each other are really a bad idea.