Hello everyone,
I recently launched a jira cloud application that's started to gain traction. However, for wider adoption, it needs to be cloud certified, prompting us to join Bugcrowd's bug bounty program. This entails a significant investment of $5k for rewards across various issue priorities. The thought of having over 100 researchers scrutinizing the app is daunting, yet I'm optimistic about not encountering severe vulnerabilities (P1-P3)... maybe I am naive. I'm interested in hearing about others' experiences with this program. How did it impact your app's security and market trust? This initiative is crucial yet challenging for our small startup. The worse case scenario would be multiple p1-p3 raised in the first days the bug bounty goes live but I think unlikely considering cloud based apps are also internally scanned by Atlassian?
Any shared experiences or advice would be greatly appreciated.
Hey,
Welcome to the club.
I'd definitely support engaging in this program for several reasons:
Although I do not know what your app is about, I'd recommend re-checking on proper authentication and remediation of everything related to user inputs and XSS to have a smooth start.
Cheers,
Thorsten
@DPK -
Although we are just customers of Atlassian using Jira/JSM products and not application development vendors, third party vendor's participation in the Bug Bounty program with Atlassian is one thing that we will always look for. If a third party vendor are not an participate of the program, then we will not even consider their add-ons at all.
Take a look at the following Atlassian reference links on this program -
https://developer.atlassian.com/platform/marketplace/marketplace-security-bug-bounty-program/
https://www.atlassian.com/trust/security/report-a-vulnerability
https://community.atlassian.com/t5/Trust-Security-articles/Bug-Bounty-July-2023-Update/ba-p/2415834
Again, this is an important participation in our option.
Best, Joseph
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.