The Atlassian Marketplace Bug Bounty: Enhancing our apps' security

Federico Baronti
May 19, 2022 5:45:00 PM

The Bug Bounty is a bug reward program that the Atlassian Marketplace has implemented for its partners selling cloud apps on its platform. In this blog post, we'll explain how our process has improved our Atlassian Marketplace apps' security. We'll tell you how the program has helped us, how our experience in the process has been and the lessons learned.

Strengthening the security of an app is a commitment to the relationship between the manufacturer and the end customer. At DEISER, we're no strangers to that, as this means enhancing the customer experience, one of our top priorities and values. Come with us to learn how have been our experience working in the Atlassian Marketplace Bug Bounty with Projectrak for Jira and Exporter for Jira:

What's the Atlassian Marketplace Bug Bounty?

The Atlassian Marketplace Bug Bounty is another "bug hunting" program that helps its partners identify security vulnerabilities within their apps. For this hunt, Atlassian has had the invaluable collaboration of Bug Crowd. They invite "bug hunters" (testers) to test and detect security vulnerabilities in the apps enrolled in the program.
The "hunters" participating receive a cash reward each time they detect a vulnerability, which depends on the severity of the vulnerability detected. In other words, as high the severity is, the higher the reward will be:

This program the Australian software titan has established for Marketplace partners is tied to a badge that you can see among the apps that are participating in this program, such as Projectrak

projectrak-for-jira-cloud-is-atlassian-cloud-fortified-jira-DEISER
Projectrak Cloud is part of the Atlassian Marketplace Cloud Fortified program

Cloud Fortified: The mission of this badge is to offer greater security to app customers and robust customer support within the Atlassian platform. Atlassian, the Marketplace partners (us), and the end customers all of us benefit from this program. Learn more about this and other initiatives in the Marketplace App Trust Center.

We need to offer the best possible value to our customers through our apps and services, which is why DEISER has subscribed to this program. This is our history:

Participating in the Atlassian Marketplace bug bounty program

We've been working in the Bug Bounty program since September 8, 2020, which has been a challenge for the team. The stages, the configurations, and processes have taken our apps to grant security to Projectrak for Jira Cloud and Exporter for Jira Cloud apps customers. Besides, being part of this program has been one of the reasons why DEISER have been named Atlassian Partner of the Year 2021 in the "Cloud Migrator" category:

DEISER-Atlassian-partner-of-the-year-2021-cloud-migrator-projectrakDEISER was announced as Atlassian Partner of the Year 2021 in the Cloud Migrator category during the Team'22.

1. Signing up for the program and defining the processes

Shortly after signing up, we got an email with extensive documentation containing several requirements we needed to comply with. Soon after, we had a meeting with Bug Crowd to finally start the program by defining when it's the best time to start the program, who's the primary contact to receive the security vulnerability incidents, to establish the scope of the program, and set the resolution process, among others details.

2. Who detects the vulnerabilities in our apps?

In this process, Bug Crowd invites several "hunters" to participate. Those interested will sign up for the program each participating company has established, which comes with different tests to identify possible vulnerabilities in the apps. These tests cover vulnerabilities from Broken Access Control (BAC), Cross-Site Scripting (XSS), Broken Authentication, and session management. This program involved a conscientious and thorough preparation, focused on the end-user at all times, considering that tests don't affect them.

At this first stage, we've included our cloud apps (Projectrak & Exporter) to strengthen their security to offer a better customer experience. In the future, the Data Center versions of those apps will also be included in the program.

3. How to monitor reported bugs?

Atlassian provided a Dashboard in Jira Cloud, in which we can visualize the following information:

  •    Establishment of SLAs for incident resolution.
  •    General parameters for using the Jira Panel.
  •    The incidences that have been reported according to:
    1. Vulnerability severity level.
    2. Vulnerability type.
    3. By app (Exporter Cloud and Projectrak Cloud).

4. How do we prioritize bugs?

When resolving the bugs that Bug Crowd "hunters" have reported, a series of resolution SLAs have been established according to the security vulnerability found. These are:

prioritizing-bugs-atlassian-marketplace-bug-bounty-DEISER-png

Lessons learned: The Atlassian Marketplace Bug Bounty program

Two days after starting the program, the first security vulnerability was reported for Projectrak Cloud. In the following three days (precisely), the vulnerability was located, fixed, and updated in the Marketplace; a similar process continued with a total of seven issues between both apps. Therefore, we've decided to list some learnings based on this experience:

  1. So far, Projectrak Cloud has reported four incidents, and Exporter Cloud has three, all of them with a moderate severity level. The total investment has been $3,000.

  2. We've enriched our learning process about the verification steps on security aspects during the creation of our apps.

  3. Making security changes to an app involves a significant investment of time due to the actions that need to be carried out.

  4. Our customers are getting more value by working with secure apps to work on their projects and exporting their issues from Jira.

In short, the overall benefit from the Atlassian Marketplace Bug Bounty program is evident. This program will report a lot of information about vulnerabilities that can affect the performance of apps and, consequently, the experience of users and customers. Every app manufacturer partner should participate in this program and the other programs offered by the Australian titan; if you have doubts, look at us, we even had recognition for it.

Learn more about Projectrak for Jira and Exporter for Jira

Projectrak Cloud is safe for monitoring projects in Jira

We're committed to delivering technology solutions in the form of products and services based on Atlassian products, and these provide the most significant possible value to users and end customers.

If you still do not know Projectrak Cloud and you are interested in learning more about this app available in the Atlassian Marketplace that helps you track your projects in Jira, please visit its website by clicking below:

PROJECTRAK FOR JIRA CLOUD

You May Also Like

These Stories on Projectrak for Jira

No Comments Yet

Let us know what you think

Subscribe by Email