Reporting Vulnerabilities in Apps with Private Bug Bounty Programs

Hi Atlassian Marketplace Community,

I’ve noticed that many apps listed on the Atlassian Marketplace display a badge stating:

Security Program
This app is part of the Marketplace Bug Bounty program.

However, most of these apps seem to run private bug bounty programs on platforms like Bugcrowd, which are not accessible to the public. This raises a few questions for those who might find vulnerabilities in these apps:

  1. How can we responsibly report vulnerabilities when there is no contact information provided in the app’s description?
  2. Is there a dedicated email address or process from Atlassian to report vulnerabilities in Marketplace apps?
  3. If an app is part of a private bug bounty program, is there any way to get a reward or recognition for responsibly disclosing a security issue?

I believe having clarity on these points would encourage responsible disclosures and improve the overall security of apps in the Marketplace. Any guidance or help on this matter would be greatly appreciated!

Thank you!

2 Likes

Any MP app listing has a “Privacy & Security” tab, for example: Workzone: PullRequest Workflow | Atlassian Marketplace

On that page you will find a security incident/vulnerability contact email address like so:

Most apps should have the Privacy & Security section populated. If not, the MP vendor has not completed the Security assessment and you can then use their default support channel.

Hope that helps, Ulrich
// Izymes

1 Like