Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Atlassian Bug Bounty Program

7,698 views

Published on

Bug bounty programs are quickly becoming a go-to way for organizations to increase application security. During these programs industry security experts are given full rein to uncover vulnerabilities and in return are rewarded for their findings.

In this talk, learn how the Atlassian Security team has implemented bug bounty programs from inception, through execution, and the results thus far.

Published in: Software
  • Be the first to comment

The Atlassian Bug Bounty Program

  1. 1. The Atlassian Bug Bounty Program MATT HART | SECURITY ENGINEER | ATLASSIAN
  2. 2. What is a Bug Bounty?
  3. 3. 85% Invalid reports
  4. 4. Time to turn this around
  5. 5. 50% Acceptance Rate (Minimum)
  6. 6. New Issue Filtering: Filter newly reported issues before they reach the security team. Better Inscentives: Better incentives attract more researchers and reports of higher quality. Sounds Good, But How? Explicit Rules and Scope: Be explicit around what is and isn’t in scope, and rules of engagement.
  7. 7. New Issue Filtering: Filter newly reported issues before they reach the security team. Better Inscentives: Better incentives attract more researchers and reports of higher quality. Sounds Good, But How? Explicit Rules and Scope: Be explicit around what is and isn’t in scope, and rules of engagement.
  8. 8. New Issue Filtering: Filter newly reported issues before they reach the security team. Better Incentives: Better incentives attract more researchers and reports of higher quality. Sounds Good, But How? Explicit Rules and Scope: Be explicit around what is and isn’t in scope, and rules of engagement.
  9. 9. Can’t someone else do it? ME, APPROXIMATELY 10 MONTHS AGO
  10. 10. Total Bounty Submissions (per bounty) 0 35 70 105 140 Nov 16 Dec 16 Jan 17 Feb 17 Mar 17 Apr 17 May 17 Jun 17 Jul 17 Aug 17 Jira/Confluence
 Cloud StatusPage Bitbucket
 Cloud Server
 Products
  11. 11. Breakdown of Valid Report Severity 0 5 10 15 20 Nov 16 Dec 16 Jan 17 Feb 17 Mar 17 Apr 17 May 17 Jun 17 Jul 17 Aug 17 cvss-critical cvss-high cvss-medium cvss-low
  12. 12. Percentage of Valid Submissions 0 45 90 135 180 Nov 16 Dec 16 Jan 17 Feb 17 Mar 17 Apr 17 May 17 Jun 17 Jul 17 Aug 17
  13. 13. 75% Valid reports
  14. 14. Percentage of Valid Submissions (over time) 0 0.25 0.5 0.75 1 Nov 16 Feb 17 Mar 17 Apr 17 Jun 17 Aug 17
  15. 15. What 75% Valid Submissions Looks Like 0 10 20 30 40 Nov 16 Dec 16 Jan 17 Feb 17 Mar 17 Apr 17 May 17 Jun 17 Jul 17 Aug 17
  16. 16. New Issue Filtering: Filter newly reported issues before they reach the security team. Better Incentives: Better incentives attract more researchers and reports of higher quality. Deeper Analytics Explicit Rules and Scope: Be explicit around what is and isn’t in scope, and rules of engagement.
  17. 17. Thank you! MATT HART | SECURITY ENGINEER | ATLASSIAN

×