The Bug Bounty is a bug reward program that the Atlassian Marketplace has implemented for its partners selling cloud apps on its platform. In this blog post, we'll explain how our process has improved our Atlassian Marketplace apps' security. We'll tell you how the program has helped us, how our experience in the process has been and the lessons learned.

Strengthening the security of an app is a commitment to the relationship between the manufacturer and the end customer. At DEISER, we're no strangers to that, as this means enhancing the customer experience, one of our top priorities and values. Come with us to learn how have been our experience working in the Atlassian Marketplace Bug Bounty with Projectrak for Jira and Exporter for Jira:

What's the Atlassian Marketplace Bug Bounty?

The Atlassian Marketplace Bug Bounty is another "bug hunting" program that helps its partners identify security vulnerabilities within their apps. For this hunt, Atlassian has had the invaluable collaboration of Bug Crowd. They invite "bug hunters" (testers) to test and detect security vulnerabilities in the apps enrolled in the program.
The "hunters" participating receive a cash reward each time they detect a vulnerability, which depends on the severity of the vulnerability detected. In other words, as high the severity is, the higher the reward will be:

•    Atlassian range's reward goes from $200 to $10,000. Here you can check the latest Atlassian report about the program status.
•    The rewards established by DEISER go from $100 to $1,500.
  Later in this post, we'll show you the results and investment. Here's a sneak peek at our Bug Crowd profile.

This program the Australian software titan has established for Marketplace partners is tied to a badge that you can see among the apps that are participating in this program, such as Projectrak

Projectrak Cloud is part of the Atlassian Marketplace Cloud Fortified program

Cloud Fortified: The mission of this badge is to offer greater security to app customers and robust customer support within the Atlassian platform. Atlassian, the Marketplace partners (us), and the end customers all of us benefit from this program. Learn more about this and other initiatives in the Marketplace App Trust Center.

We need to offer the best possible value to our customers through our apps and services, which is why DEISER has subscribed to this program. This is our history:

Participating in the Atlassian Marketplace bug bounty program

We've been working in the Bug Bounty program since September 8, 2020, which has been a challenge for the team. The stages, the configurations, and processes have taken our apps to grant security to Projectrak for Jira Cloud and Exporter for Jira Cloud apps customers. Besides, being part of this program has been one of the reasons why DEISER have been named Atlassian Partner of the Year 2021 in the "Cloud Migrator" category:

DEISER was announced as Atlassian Partner of the Year 2021 in the Cloud Migrator category during the Team'22.

1. Signing up for the program and defining the processes

Shortly after signing up, we got an email with extensive documentation containing several requirements we needed to comply with. Soon after, we had a meeting with Bug Crowd to finally start the program by defining when it's the best time to start the program, who's the primary contact to receive the security vulnerability incidents, to establish the scope of the program, and set the resolution process, among others details.

2. Who detects the vulnerabilities in our apps?

In this process, Bug Crowd invites several "hunters" to participate. Those interested will sign up for the program each participating company has established, which comes with different tests to identify possible vulnerabilities in the apps. These tests cover vulnerabilities from Broken Access Control (BAC), Cross-Site Scripting (XSS), Broken Authentication, and session management. This program involved a conscientious and thorough preparation, focused on the end-user at all times, considering that tests don't affect them.

At this first stage, we've included our cloud apps (Projectrak & Exporter) to strengthen their security to offer a better customer experience. In the future, the Data Center versions of those apps will also be included in the program.

3. How to monitor reported bugs?

Atlassian provided a Dashboard in Jira Cloud, in which we can visualize the following information:

•    Establishment of SLAs for incident resolution.
•    General parameters for using the Jira Panel.
•    The incidences that have been reported according to:
  1. Vulnerability severity level.
  2. Vulnerability type.
  3. By app (Exporter Cloud and Projectrak Cloud).

4. How do we prioritize bugs?

When resolving the bugs that Bug Crowd "hunters" have reported, a series of resolution SLAs have been established according to the security vulnerability found. These are:

Lessons learned: The Atlassian Marketplace Bug Bounty program

Two days after starting the program, the first security vulnerability was reported for Projectrak Cloud. In the following three days (precisely), the vulnerability was located, fixed, and updated in the Marketplace; a similar process continued with a total of seven issues between both apps. Therefore, we've decided to list some learnings based on this experience:

1. So far, Projectrak Cloud has reported four incidents, and Exporter Cloud has three, all of them with a moderate severity level. The total investment has been $3,000.
   
   
2. We've enriched our learning process about the verification steps on security aspects during the creation of our apps.
   
   
3. Making security changes to an app involves a significant investment of time due to the actions that need to be carried out.
   
   
4. Our customers are getting more value by working with secure apps to work on their projects and exporting their issues from Jira.

In short, the overall benefit from the Atlassian Marketplace Bug Bounty program is evident. This program will report a lot of information about vulnerabilities that can affect the performance of apps and, consequently, the experience of users and customers. Every app manufacturer partner should participate in this program and the other programs offered by the Australian titan; if you have doubts, look at us, we even had recognition for it.