Last updatedFeb 21, 2019
Improve this page

Security incident communication template

This template is provided for Atlassian Marketplace app vendors who have become aware of a security incident relating to an app (whether or not end user data has been compromised) and are looking to communicate information about it to their customers. This template provides guidance as to the matters that should ideally be covered in an incident notification involving a Marketplace app. Note that this template is not for communications concerning security vulnerabilities. For communicating information about a security vulnerability to your customers, please refer to the vulnerability notification template provided for that purpose.

Necessary information for communication to your customers

You will need the following information to complete this template:

InformationDescription
App nameThe name of your Marketplace app.
Nature of incident

A concise description of what the identified incident is and its potential impact in 2-3 sentences. In cases where end user data has been leaked, also provide an indication of the extent of the data exposure and type(s) of data affected.

For example, this may have been an issue in your Marketplace app which meant that a specific customer’s data was visible to another customer during a three-hour period.

Source of incident information

How you learned about the existence of this issue. For example, through notification from another party, from self-discovery, etc.

Investigation details

What actions you undertook as part of investigating the incident to confirm its potential scope and impact.

Remediation actions

What actions you are taking (or have taken) to fix the incident.

Information about likelihood of exploitation / real-world impact

Details of whether the incident is likely to have resulted in actual impact to customers. For example, if there was any evidence in logs that indicates unauthorized access to customer data, the number of customers affected, etc.

Information about steps customers need to take (if applicable)

For server apps, instructions to fix the error on the managed environment. For example, directions for downloading the latest fix version and applying to server instance.

Communication principles for vendors

  • Be honest
  • Be thorough
  • Don't be tricky and don't try to hide

App incident notification template

The following template provides guidance as to how your communications with customers should look, including content that needs to be covered. Sections in brackets will need to be customised or removed based on the circumstances of your specific case.

Hello,

We are writing to inform you of a security incident that was recently identified relating to the Marketplace app name.

This means that nature and period of incident.

The incident was identified/brought to our notice by identification source and when. Once we became aware of the issue, we investigation details. Based on what we found, remediation actions was done to rectify the issue.

Based on our investigations, this incident has led to the following impacts / is not likely to have had any impacts on you).

steps customer needs to take, if applicable.

We want you to know that we take this issue very seriously. Please accept our sincere apologies for any inconvenience this may have caused. We are conducting a thorough review of our internal processes to ensure this does not occur again for you or other customers.

If you have any questions, please feel free to raise a support request at support.atlassian.com referencing ticket number.

Sincerely,

Representative Name
Marketplace vendor name