We follow Atlassian’s lead as mentioned in their app security incident management guidelines App Security Incident Management Guidelines on how to handle vulnerabilities discovered in our apps. Of course, we stick to Atlassian’s standard on timeframes on how quickly to solve these vulnerabilities depending on the severity level.
...
Based on the severity level we will treat the vulnerability as described below. in the Security Bugfix Policy and the Incident Management Guidelines, linked above.
However, there might be individual customers' needs, where we need add other, more suitable measures to best comply with Atlassian's standard. For example, we reach out to former customers or evaluators if necessary or set up a communication to individual organizations.
If there is an ongoing incident, we’ll post it to yasoon Status.SLA Bugfix
Security Bugfix Policy
We stick to Atlassian's Security Bug Fix Policy, which defines the security standards that developers who host apps on the Atlassian Marketplace must adhere to, especially when dealing with security vulnerabilities. Developers must comply with this policy to ensure they are safeguarding our customers' data.
You can find out all about this policy as well as SLAs here.