We all know by now that Atlassian's goal is to move all customers to the cloud. It won't happen without trust and security. That's why Atlassian's Ecosystem Security team is working on programs that ensure Marketplace partners and apps surpass customer expectations.
Atlassian's Marketplace Bug Bounty program makes it easy for Marketplace partners to invest in security without a huge financial barrier to entry. Atlassian takes care of platform licensing with Bugcrowd, and vendors are responsible for triaging and paying out bug rewards found by researchers.
To test their new Bug Bounty program, Atlassian conducted a Blitz this summer which lasted about six weeks. It included 63 Marketplace partners and more than 170 apps. During the Blitz, Atlassian covered all bug payouts.
Atlassian also has a Cloud security program which consists of a 13-question self assessment and the CAIQ-Lite questionnaire. Atlassian is currently testing CAIQ-Lite as it provides partners focus on important areas and a better feedback loop.
Atlassian plans to scale its Bug Bounty program to more Cloud and Data Center apps. They plan on introducing badges that are visible on the app listing to show whether the app is participating in the Bug Bounty program. Additional requirements for the badge are time spent, exposure to security researchers, and if vendors are compliant with SLAs, depending on priority.
The CAIQ-Lite will eventually replace the existing 13-question self assessment for partners in the Bug Bounty program. This would reinforce trust and security. There may be a badge for having both CAIQ-Lite and participating in the Bug Bounty program, but that is to be determined.
Atlassian wants more ways to find bugs with continuous security scanning, work on platform security with internal teams, and being able to scale and bring more vendors to the Marketplace Partner program.
The Ecosystem team wants accountability and prioritization of security from Marketplace partners. Atlassian's goal is to make app installation in the Cloud for customers as trustworthy as if it were coming from Atlassian.