Atlassian’s Bug Bounty Program: Join Us in Our Hunt

A photo of the blog post's author
Product Marketing Manager
5 min read /
We're taking part again in 2020!

Update for 2020: We're involved in Atlassian's Bug Bounty Blitz for Cloud apps. This is on top of the regular bug bounty program that's already running on Bugcrowd.

When you think of Atlassian, what do you think of? Perhaps time tracking and team collaboration software spring to mind. So you might be wondering how Atlassian’s connection to Barada Syrienhilfe, a charity which provides aid to those in need in Syria came about…

Atlassian’s Bug Bounty Program

The connection begins with Atlassian’s bug bounty program. Atlassian actively invites external developers and users of their products to participate in the program by testing elements of their software – with the aim of uncovering any security vulnerabilities that are not yet known to them. With new versions of their products being released frequently, there is a constant need for Atlassian's products to be tested. Those who submit a valid report can receive a payout to the tune of up to $5,000.

Atlassian revamped their previous bug bounty program at the end of 2016 to the program which they are using today. The Atlassian Security team used to spend a high proportion of their time investigating bug reports of which only 3/20 were valid. Since the new program was launched, the success rate for valid bugs found is now 3/4. The success of this program is due to:

  • Clearly defined rules so participants know what is and isn't in scope for bug hacking.
  • Issue filtering to ensure the security team only receives valid claims.
  • Attractive monetary incentives to encourage more people to research the bugs which leads to higher quality reports.

Naturally, We Wanted to Join the Hunt...

As an Atlassian partner and Marketplace vendor, K15t has a whole team of developers who are already clued up about Atlassian’s products and were excited to get involved with the bug bounty program. 

Our app teams build on Atlassian’s Confluence and Jira platforms every day, and it wasn’t long before our eagle-eyed developers uncovered their first vulnerabilities. After a bit of internal investigation, the issues were submitted to Atlassian as Tier 1 vulnerabilities. 

After receiving our submissions, Atlassian validated them and fixed the bugs within a matter of days. The quick turnaround demonstrates Atlassian's commitment to the security of their users. 

The individuals who found the bugs received compensation from Atlassian: $6,800 to be exact.

Using Our Bug Bounty Reward to Support Educational Opportunities in Syria

And so, with their bug bounty reward in hand, the team members who found the bugs decided the best use for their reward money was to donate it to charity. The charity chosen was Barada Syrienhilfe, which supports a cause close to our heart.

Earlier this year, Andre joined the K15t team after moving to Germany from his home in Syria where his family and friends remain, still affected by the humanitarian crisis. K15t co-founder, Stefan Kleineikenscheidt, was moved by Andre's story and set out to find a charity we could contribute to.

He came across Barada Syrienhilfe who help those affected by the war by delivering food and medical assistance, daily essentials like clothing, diapers, and hygiene products, and most important to us and to Andre – providing educational opportunities to children and young adults. Andre knew first-hand just how difficult it can be for a lot of young people in Syria to get a decent education and that by getting one it can create so many opportunities to better their lives. 

We Care and Commit: It’s One of K15t’s Values, After All!

After hearing what’s going on right now in Syria, it’s pretty hard to un-hear. We just can’t turn a blind eye to it, which is why we will be sending any future Atlassian bug bounty rewards we receive to Barada Syrienhilfe.

We are also committed to our hunt for bugs within Atlassian’s range of products. Anything we can do to spot potential security breaches creates a win-win situation for both Atlassian and now Barada Syrienhilfe too.

Atlassian encourages anyone to get involved to help them find any vulnerabilities within the products. Learn more about the program here, including the reward amounts which Atlassian are offering for valid claims.

Want to hunt for Atlassian security vulnerabilities whilst building great software? We're hiring!
See open positions