App security incident management guidelines

We follow Atlassian’s lead as mentioned in their app security incident management guidelines on how to handle vulnerabilities discovered in our apps. Of course, we stick to Atlassian’s standard on timeframes on how quickly to solve these vulnerabilities depending on the severity level.

Incident management

As soon as we get notice or discover ourselves a security vulnerability, we’ll immediately set up an incident response team which assesses the level of vulnerability and rate it according to CVSS v3. A description of the security levels including examples can be found here: Severity Levels for Security Issues.

Based on the severity level we will treat the vulnerability as described below. However, there might be individual customers' needs, where we need add other, more suitable measures to best comply with Atlassian's standard. For example, we reach out to former customers or evaluators if necessary or set up a communication to individual organizations.

Security Bug Fix Policy

We follow Atlassian’s Security Bug Fix Policy on how to solve security issues in our Cloud, Server and Datacenter apps.

Medium severity level

Medium severity vulnerabilities will be fixed within 8 weeks of coming to our knowledge and will be included in the next scheduled bug fix release.

High severity level

High severity vulnerabilities will be fixed within 6 weeks of coming to our knowledge and will be included in the next scheduled bug fix release.

Moreover, these types of vulnerabilities are explicitly reported on our release notes: Release notes

Critical severity level

Critical severity vulnerabilities will be fixed within 4 weeks of coming to our knowledge and will be released as a bug fix release as soon as possible. 

Moreover, these types of vulnerabilities are explicitly reported on our release notes: Release notes

Furthermore we will send a Security Advisory email to all known customers and evaluators, i.e. the contacts for the licenses registered at my.atlassian.com.