Hi Atlassian Marketplace Community,
I’ve noticed that many apps listed on the Atlassian Marketplace display a badge stating:
Security Program
This app is part of the Marketplace Bug Bounty program.
However, most of these apps seem to run private bug bounty programs on platforms like Bugcrowd, which are not accessible to the public. This raises a few questions for those who might find vulnerabilities in these apps:
- How can we responsibly report vulnerabilities when there is no contact information provided in the app’s description?
- Is there a dedicated email address or process from Atlassian to report vulnerabilities in Marketplace apps?
- If an app is part of a private bug bounty program, is there any way to get a reward or recognition for responsibly disclosing a security issue?
I believe having clarity on these points would encourage responsible disclosures and improve the overall security of apps in the Marketplace. Any guidance or help on this matter would be greatly appreciated!
Thank you!