The Bug Bounty is a bug reward program that Atlassian Marketplace has implemented for its partners selling cloud apps on its platform. In this blog post, we'll explain how our process has improved the security of our Atlassian Marketplace apps. We'll tell you how the program has helped us, our experience in the process, and what lessons we learned.
Strengthening the security of an app is a commitment to the relationship between the manufacturer and the end customer. At Deiser, we're no strangers to that, as this means enhancing the customer experience, one of our top priorities and values. Come with us to learn about our experience working in the Atlassian Marketplace Bug Bounty with Projectrak for Jira and Exporter for Jira:
The Atlassian Marketplace Bug Bounty is another "bug hunting" program that helps its partners identify security vulnerabilities within their apps. For this hunt, Atlassian collaborated with Bug Crowd. They invite "bug hunters" (testers) to test and detect security vulnerabilities in the apps enrolled in the program.
The "hunters" participating receive a cash reward each time they detect a vulnerability, which depends on the severity of the vulnerability detected. In other words, as higher the severity is, the higher the reward will be:
This program the Australian software titan has established for Marketplace partners is tied to a badge that you can see among the apps that are participating in this program, such as Projectrak
Projectrak Cloud is part of the Atlassian Marketplace Cloud Fortified program
Cloud Fortified: The mission of this badge is to offer greater security to app customers and robust customer support within the Atlassian platform. Atlassian, the Marketplace partners (us), and the end customers all of us benefit from this program. Learn more about this and other initiatives in the Marketplace App Trust Center.
We need to offer the best possible value to our customers through our apps and services, which is why DEISER has subscribed to this program. This is our history:
We've been working in the Bug Bounty program since September 8, 2020, which has challenged the team. The stages, configurations, and processes have taken our apps to grant security to Projectrak for Jira Cloud and Exporter for Jira Cloud app customers. Besides, being part of this program has been one of the reasons why Deiser has been named Atlassian Partner of the Year 2021 in the "Cloud Migrator" category:
Shortly after signing up, we got an email with extensive documentation containing several requirements we needed to comply with. Soon after, we had a meeting with Bug Crowd to finally start the program by defining when it's the best time to start the program, who the primary contact to receive the security vulnerability incidents, establish the scope of the program, and setting the resolution process, among others details.
In this process, Bug Crowd invites several "hunters" to participate. Those interested will sign up for the program each participating company has established, which comes with different tests to identify possible vulnerabilities in the apps. These tests cover vulnerabilities from Broken Access Control (BAC), Cross-Site Scripting (XSS), Broken Authentication, and session management. This program involved a conscientious and thorough preparation, focused on the end-user at all times, considering that tests don't affect them.
At this first stage, we've included our cloud apps (Projectrak & Exporter) to strengthen their security and offer a better customer experience. In the future, the program will also include the Data Center versions of those apps.
Atlassian provided a Dashboard in Jira Cloud, in which we can visualize the following information:
When resolving the bugs that Bug Crowd "hunters" have reported, a series of resolution SLAs have been established according to the security vulnerability found. These are:
Two days after starting the program, the first security vulnerability was reported for Projectrak Cloud. In the following three days (precisely), the vulnerability was located, fixed, and updated in the Marketplace; a similar process continued with seven issues between both apps. Therefore, we've decided to list some learnings based on this experience:
In short, the overall benefit of the Atlassian Marketplace Bug Bounty program is evident. This program will report a lot of information about vulnerabilities that can affect app performance and, consequently, user and customer experience. Every app manufacturer partner should participate in this program and the other programs offered by the Australian titan; if you have doubts, look at us. We even received recognition for it.