The Bug Bounty is a bug reward program that the Atlassian Marketplace has implemented for its partners selling cloud apps on its platform. In this blog post, we'll explain how our process has improved our Atlassian Marketplace apps' security. We'll tell you how the program has helped us, how our experience in the process has been and the lessons learned.
Strengthening the security of an app is a commitment to the relationship between the manufacturer and the end customer. At DEISER, we're no strangers to that, as this means enhancing the customer experience, one of our top priorities and values. Come with us to learn how have been our experience working in the Atlassian Marketplace Bug Bounty with Projectrak for Jira and Exporter for Jira:
The Atlassian Marketplace Bug Bounty is another "bug hunting" program that helps its partners identify security vulnerabilities within their apps. For this hunt, Atlassian has had the invaluable collaboration of Bug Crowd. They invite "bug hunters" (testers) to test and detect security vulnerabilities in the apps enrolled in the program.
The "hunters" participating receive a cash reward each time they detect a vulnerability, which depends on the severity of the vulnerability detected. In other words, as high the severity is, the higher the reward will be:
This program the Australian software titan has established for Marketplace partners is tied to a badge that you can see among the apps that are participating in this program, such as Projectrak
Projectrak Cloud is part of the Atlassian Marketplace Cloud Fortified program
Cloud Fortified: The mission of this badge is to offer greater security to app customers and robust customer support within the Atlassian platform. Atlassian, the Marketplace partners (us), and the end customers all of us benefit from this program. Learn more about this and other initiatives in the Marketplace App Trust Center.
We need to offer the best possible value to our customers through our apps and services, which is why DEISER has subscribed to this program. This is our history:
We've been working in the Bug Bounty program since September 8, 2020, which has been a challenge for the team. The stages, the configurations, and processes have taken our apps to grant security to Projectrak for Jira Cloud and Exporter for Jira Cloud apps customers. Besides, being part of this program has been one of the reasons why DEISER have been named Atlassian Partner of the Year 2021 in the "Cloud Migrator" category:
DEISER was announced as Atlassian Partner of the Year 2021 in the Cloud Migrator category during the Team'22.
Shortly after signing up, we got an email with extensive documentation containing several requirements we needed to comply with. Soon after, we had a meeting with Bug Crowd to finally start the program by defining when it's the best time to start the program, who's the primary contact to receive the security vulnerability incidents, to establish the scope of the program, and set the resolution process, among others details.
In this process, Bug Crowd invites several "hunters" to participate. Those interested will sign up for the program each participating company has established, which comes with different tests to identify possible vulnerabilities in the apps. These tests cover vulnerabilities from Broken Access Control (BAC), Cross-Site Scripting (XSS), Broken Authentication, and session management. This program involved a conscientious and thorough preparation, focused on the end-user at all times, considering that tests don't affect them.
At this first stage, we've included our cloud apps (Projectrak & Exporter) to strengthen their security to offer a better customer experience. In the future, the Data Center versions of those apps will also be included in the program.
Atlassian provided a Dashboard in Jira Cloud, in which we can visualize the following information:
When resolving the bugs that Bug Crowd "hunters" have reported, a series of resolution SLAs have been established according to the security vulnerability found. These are:
Two days after starting the program, the first security vulnerability was reported for Projectrak Cloud. In the following three days (precisely), the vulnerability was located, fixed, and updated in the Marketplace; a similar process continued with a total of seven issues between both apps. Therefore, we've decided to list some learnings based on this experience:
In short, the overall benefit from the Atlassian Marketplace Bug Bounty program is evident. This program will report a lot of information about vulnerabilities that can affect the performance of apps and, consequently, the experience of users and customers. Every app manufacturer partner should participate in this program and the other programs offered by the Australian titan; if you have doubts, look at us, we even had recognition for it.
No Comments Yet
Let us know what you think