At the start of each quarter, we publish a roll-up report from each of our Bug Bounty programs to give our customers a view of the progress of the program and the vulnerabilities. For many customers, these reports can take the place of a penetration test report and show that we are actively testing and identifying any security issues that are in our products or services.

Our bug bounty program serves as an extension of our own team, providing continuous monitoring and testing for potential vulnerabilities. We believe that this comprehensive approach provides superior value when combined with targeted penetration tests that are also performed (we post updated Letters of Attestation for each product’s penetration test on our Approach to External Security Testing page, at the bottom of the page).

Bug Bounty Stats for the Quarter

In the January 2025 to March 2025 quarter, we had 337 individual security researchers contribute to our bug bounty program, submitting a total of 841 bugs for review, with a total of 250 valid bugs, which is an average of ~34% valid bug to noise ratio (with a low of 19% valid bug to noise ratio in our Statuspage program and a high of 74% valid bug to noise ratio in our Jira Align program) across all of our independent bug bounty programs.

Compared to the October 2024 to December 2024 quarter, we had a 5% decrease in security researchers, 4% increase in bugs submitted for review, and a 25% increase in valid bugs, with a higher bug-to-noise ratio by 7%.

Get the Reports

If you have customers asking for a penetration test report, first point them to the Approach to External Security Testing page where we have published the bug bounty reports for Atlassian core products (including Jira, Confluence and Bitbucket), Jira Align, Opsgenie, Statuspage, Trello, and now Loom. We have also published the same links to the Security Testing section of our Security Practices page.

Download current test reports

These reports show the progress of our bug bounties for the January 2025 to March 2025 quarter. Any security vulnerabilities identified in the reports below are tracked in our internal Jira as they come through the Bug Bounty intake process and are closed according to the SLA timelines on our Security Bug Fix Policy.

• Download the latest Atlassian bug bounty report (2025-04)

• Download the latest Jira Align bug bounty report (2025-04)

• Download the latest Opsgenie bug bounty report (2025-04)

• Download the latest Statuspage bug bounty report (2025-04)

• Download the latest Trello bug bounty report (2025-04)

• Download the latest Loom bug bounty report (2025-04)

Atlassian’s Security Testing Updates

The Security Testing team continues to work closely with cyber security consultancies to conduct thorough penetration tests on Atlassian products.

This approach ensures that Atlassian's products and services undergo rigorous testing and evaluation. By combining the bug bounty program with the efforts by our security testing team, Atlassian can leverage the expertise of external researchers while also maintaining a proactive and comprehensive security posture.

You can read more about these efforts at: Approach to External Security Testing where additionally we publish “Letters of Attestation” for the annual penetration tests performed on Atlassian products. Letters of Attestation published recently include:

• Letter of Attestation for Trello (2025-02)

• Letter of Attestation for Atlassian External & Internal Adversary Simulation Assessment (2025-02)

• Letter of Attestation for Focus (2025-02)

• Letter of Attestation for Confluence Data Center (2025-02)

• Letter of Attestation for Atlassian Home (2025-03)

• Letter of Attestation for Cloud Migration Platform (2025-03)