Australian software firm Atlassian has today announced the launch of its first public bug bounty, which will be conducted by the crowdsourced security testing platform Bugcrowd. The bug bounty will have nearly 60,000 cybersecurity researchers from Bugcrowd’s community performing ethical hacks on Atlassian’s Java-based solutions in order to identify and report potential bugs in the software.
Bounties of upto USD 3,000 per bug are being offered as financial incentives to security testers who will focus their efforts on Atlassian’s JIRA and Confluence enterprise platforms initially. The exact payout will also be determined by the potential impact and severity of the bugs that are identified.
Atlassian expects its partnership with Bugcrowd to reinforce the security of the company’s products and strengthen its vulnerability management program. Atlassian’s Head of Security, Daniel Grzelak, views the collaboration are vital for his company, stating:
The economics of bug bounties are too overwhelming to ignore. Our traditional application security practice produces great results… but the breadth and depth of post-implementation assurance provided by the crowd completes the secure development lifecycle. Multiplying the specialization of a single bounty hunter by the size of the crowd creates a capability that just can’t be replicated by individual organizations.
The launch of the bug bounty program follows the recent discovery of a vulnerability on a third-party library that affected Atlassian’s HipChat enterprise chat platform. Plans to expand the bug bounty’s parameters to include Atlassian’s cloud and server products are tentative and will be discussed between the two companies over the coming months.
On a related note, Atlassian also plans on hiking the prices for its JIRA and Confluence enterprise softwares, with further details to follow as and when we receive them.