Atlassian launches public bug bounty with Bugcrowd

The economics of bug bounties are too overwhelming to ignore, Atlassian's head of security says.
Written by Stephanie Condon, Senior Writer

Atlassian is partnering with Bugcrowd, the crowdsourced security testing platform, to launch a public bug bounty program, the company announced Wednesday.

The enterprise software company says its private bug bounty program has been successful. Even so, "the economics of bug bounties are too overwhelming to ignore," Daniel Grzelak, Atlassian's head of security, said in a statement.

"Our traditional application security practice produces great results early in the lifecycle and deep in our services, but the breadth and depth of post-implementation assurance provided by the crowd really completes the secure development lifecycle," he said. "Multiplying the specialization of a single bounty hunter by the size of the crowd creates a capability that just can't be replicated by individual organizations."

Bugcrowd's platform will give Atlassian access to a crowd of more than 60,000 researchers who can help provide continuous testing of its collaboration tools. The public bug bounty is beginning with Atlassian's JIRA and Confluence cloud products and will eventually expand to other cloud and server products.

Initially, researchers will get up to $3,000 per bug identified, with the reward based on the impact and severity of the vulnerabilities identified.

The use of bug hunting programs remains limited, but bounties are growing as companies, government agencies and other entities realize their potential impact. The average bounty is $1,923, according to recently released data from HackerOne, but rewards can go much higher -- companies like Apple and Microsoft offer as much as $100,000 for their bug bounty programs. In 2016, Google paid about $3 million to security researchers.

Atlassian has taken a relatively proactive approach to security, which is critical for the growing number of enterprises adopting cloud-based collaboration software. The company, for instance, is one of the founding members of the Vendor Security Alliance, which launched last year to help companies assess the security risk of their third-party vendors.

Earlier this year, Atlassian's workplace chat platform HipChat was hacked due to a vulnerability in a third-party library used by HipChat.com.

Editorial standards