We follow Atlassian’s lead as mentioned in their App Security Incident Management Guidelines on how to handle vulnerabilities discovered in our apps. Of course, we stick to Atlassian’s standard on timeframes on how quickly to solve these vulnerabilities depending on the severity level.
Incident management
As soon as we get notice or discover ourselves a security vulnerability, we’ll immediately set up an incident response team which assesses the level of vulnerability and rate it according to CVSS v3. A description of the security levels including examples can be found here: Severity Levels for Security Issues.
...
If there is an ongoing incident, we’ll post it to yasoon Status.
Security Bugfix Policy
We stick to Atlassian's Security Bug Fix Policy, which defines the security standards that developers who host apps on the Atlassian Marketplace must adhere to, especially when dealing with security vulnerabilities. Developers must comply with this policy to ensure they are safeguarding our customers' data.
...