To strengthen security and foster a collaborative environment, Atlassian requires all Marketplace bug bounty programs to be public. Public programs offer greater accessibility for security researchers, streamline vulnerability reporting, and help ensure programs remain active and effective over time.

Important: Transitioning to a public bug bounty program is not an overnight process. It requires meeting specific prerequisites and may take several weeks depending on your current program status. Plan ahead and start the process early to meet compliance deadlines.

Update March 2026: To help speed up migrations, we have attempted to create ECOHELP tickets for partners who had not already raised one that can be used to track the migration process. If you can't locate your ECOHELP ticket, please raise a new ticket using the process described on this page.

Timeline Expectations

For Existing Bug Bounty Programs

Action required: All existing Atlassian Marketplace bug bounty programs must be public by June 30, 2026. Programs that have not started the transition process may be paused or deactivated. To begin, first look for your existing ECOHELP migration ticket. If you cannot find one, create a new ticket here: ECOHELP.

Required milestones:

By June 30th, 2026: Program must be fully public or scheduled to go public with Bugcrowd.

For New Bug Bounty Programs

New programs are those launched after February 1st, 2026.

Newly created bug bounty programs start as private and migrate to public following a ramp up process, which can take up to 6 months. Automation will start this process for you at the 6 month mark, but you can raise the ECOHELP ticket earlier if you meet the prerequisites. If you have participated in app pentests recently, you also may be ready to expedite this process.

Example timeline for new programs:

Months 1-3: Build researcher base to 250+ invited researchers
Months 4-5: Meet all prerequisites and prepare for public launch
Month 6: If not already raised manually, an ECOHELP ticket will be created for you to initiate the public transition.

No exceptions policy:
Unfortunately there are no exceptions and all Atlassian managed marketplace bug bounty programs must be public or actively working toward transitioning to a public program.

Enforcement actions:
If you are not in the process of going public by the compliance deadline, Atlassian is entitled to pause and deactivate your bug bounty program.

Once the program is made public, you will not be able to transition it back to private again.

How to Start the Transition Process

Ready to go public? Start by raising an ECOHELP ticket and we'll create a customized transition plan for your program.

The transition process

1. Initial Request
If you have an existing bug bounty program, check for your existing ECOHELP migration ticket first. If you cannot locate it, raise a new ticket in the ECOHELP queue, and Bugcrowd will work with you on a plan to transition your program to public.

2. Customized Timeline
Timelines and plans to get to public will vary based on:

How your program has performed in the past
How much ramp up may be required to get that program to public in a non-overwhelming way
Whether you're a new or existing program

3. Scheduled Launch

Launch day: Wednesdays at 2PM EST
Limited launches: Only three programs launch per week
Advance scheduling: Launches are scheduled ahead of time with the Bugcrowd team
Program review: The program brief is reviewed prior to launch to ensure clarity and alignment with Atlassian standards

Why Go Public?

Opening your bug bounty program to the public delivers several key benefits:

Broader Researcher Access - Public programs are visible to all registered researchers, maximizing opportunities for vulnerability discovery and reward
Reliable Reporting Channels - Public visibility ensures researchers can easily find and report vulnerabilities through trusted channels
Sustained Program Activity - Public programs are less likely to become stagnant, as ongoing engagement is more likely in a public facing bug bounty program

Benefits of a Public Bug Bounty Program

Transitioning to a public program is free of charge and offers immediate benefits for your security posture.

Expanded Researcher Pool
Your program will attract a diverse range of security researchers, increasing the likelihood of uncovering critical vulnerabilities.

Increased Visibility
Public programs are listed on bugcrowd.com/engagements, a central hub for researchers seeking new challenges.

Diverse Skill Levels
Engage with researchers of varying experience. Bugcrowd's triage team supports newer participants to maintain submission quality.

Managed Submission Flow
Bugcrowd limits public launches to three per week, allowing triage teams to effectively manage incoming reports.

Enhanced Security Reputation
Public participation demonstrates a strong commitment to security, building trust with customers and the community.

Considerations and Challenges

Plan ahead for these common challenges to ensure a smooth transition to public.

Challenge	Impact	Mitigation Strategy
Submission Overload	Teams may be overwhelmed by report volume	Prepare a contingency plan and ensure robust triage processes are in place

Prerequisites for Public Launch

Before making your bug bounty program public, ensure the following requirements are met:

Requirement	Description	Why is this important?
Gradual Researcher Onboarding	Have 250 Researchers Minimum for at least 2 weeks	Prevents overwhelming your triage process with sudden volume spikes
Funding	Maintain at least $5,000 in your program account	Ensures you can promptly reward researchers for valid submissions
Vulnerability Queue	No more than three P1 (critical) vulnerabilities should be outstanding	Demonstrates your ability to handle critical security issues promptly
Consider Increasing Rewards (Suggestion)	At your discretion, you can increase rewards to improve incentives for researchers	Demonstrates your program maturity
Queue Hygiene	Ensure there are no overdue items or policy violations in your queue	Shows program maturity and operational readiness
Accurate Scope and Targets	Review and confirm that all program scope and targets are up to date	Prevents confusion and misdirected research efforts
Robust Review Process	Internal team must have a scalable process for handling increased volume	Critical for managing the initial weeks post-launch effectively

The internal team responsible for triage must have a scalable process in place to handle increased submission volume, especially during the initial weeks post-launch.

Getting Help

For questions about transitioning your bug bounty program to public:

Check for your existing ECOHELP migration ticket first. If you cannot locate it, raise a new ticket in ECOHELP to begin the transition process.
Review the Marketplace Security Bug Bounty Program for general program information
Consult with the Bugcrowd team during your transition planning