Data breaches can cost companies millions of dollars and cause lasting damage to their reputation and customer trust. Take it from credit reporting agency Equifax, which experienced a data breach in 2017. Afterwards, they spent millions on improving their cyber security, including a new vulnerability discovery program. For our part, Atlassian has had this type of program in place for our products since 2017, winning Bugcrowd’s Program of the Year award in both 2018 and 2019. We’ve also recently introduced the Marketplace Bug Bounty Program, the first of its kind, which extends security beyond our own products to our greater ecosystem of partners. Now, we’re announcing our next step for increasing cloud security: our new Cloud Security Participant badge.
Cloud Security Participant badge
When it comes to their data, we know that trust and security are top-of-mind for our customers. Reflecting our commitment to the security of our ecosystem, we’ve added additional badging of Marketplace apps to help customers identify which ones meet increased security standards. These badges include our Cloud Fortified badge, as well as our Cloud Security Participant badge.
The Cloud Security Participant badge identifies cloud apps enrolled in the Marketplace Bug Bounty Program, and will evolve to include more rigorous testing and security assessments, like CAIQ-Lite, an industry-standard questionnaire aimed at addressing the 16 most crucial aspects of the cloud controls matrix.
All apps labeled with the Cloud Security Participant badge are part of a rigorous bug bounty program and are built by partners who incentivize active security research and fix security issues within an Atlassian-defined timeframe.
Marketplace’s bug bounty program
Atlassian is leading the field in trust and security when it comes to our partners – we are the first company to extends its bug bounty program into its ecosystem. We started with a small beta of four Marketplace Partners (Adaptavist, Tempo, K15t, ALM Works) and the program has grown to well over 60 participants (and counting!). To help our partners get started on their security journeys, Atlassian is subsidizing the initial costs of creating bug bounties and covering vulnerability awards during the first six weeks. To date, the program has discovered over 300 vulnerabilities and paid out close to $200K in awards to security researchers.
On average, each of the app bug bounties has about 250 participating security researchers. This global pool of talented researchers allows Marketplace Partners to facilitate post-production vulnerability discovery in a cost-efficient way. By using a Bugcrowd as a third-party system, Atlassian is ensuring that all partners are triaging and prioritizing bugs in the same way and reaching security standards that are typically out of reach for most small- to medium-sized businesses. The program will also allow customers to request third-party penetration test reports from any of the apps that they use.
We recognize that ongoing efforts to increase security is an essential part of maintaining our customers’ trust. The Marketplace Bug Bounty program and the new Cloud Security Participant badge are part of the next iteration in Atlassian’s cloud security story, and we will continue to evolve these programs through a focus on industry-standard assessments and vulnerability scanning. We are committed to working with our Marketplace Partners to increase the security of their cloud infrastructure and applications in order to increase the value of the Marketplace apps our customers rely on.