This guide provides Atlassian Marketplace app vendors with advice on the steps you need to take if you are notified of (or become aware of) a possible security incident affecting one of your apps.
Any actual or suspected unauthorized access, acquisition, use, disclosure, modification or destruction of end user data in your possession or control as a Marketplace Vendor (or in the possession or control of your agents or contractors)
A security vulnerability or compromise of your app
For Cloud apps, any issue that materially degrades Atlassian systems or networks
If you've experienced a security incident with a Marketplace app, the following steps outline what you need to do:
Identify the root cause of the incident, for example, by consulting logs, reviewing code, etc.
Confirm whether any end user data might have been compromised.
Determine how long the security issue might have been present.
Determine which users of your app were affected and all information that was or may have been compromised.
Consider engaging external help such as an incident response partner or security consultant to help with this process if required.
Make sure to promptly (and no later than 24 hours) notify us about the incident and provide the requested information outlined below (to the extent the information is available) by raising an app security incident ticket.
You may be asked by Atlassian to provide further information and assistance related to the Incident, so make sure you have an updated contact for Security Incidents listed in the Marketplace Vendor Portal.
All Top Vendors must provide an up to date emergency contact, including name, direct email and cell phone number in the Top Vendor tab located in the Vendor Portal.
Information that Atlassian will need includes answers to the following questions. If you don't currently have all the information above, provide what you currently have to Atlassian and provide updates when you have more information available.
|What is the category of security incident that has occurred (e.g., vulnerability, malicious attacker, cross tenant data leakage, etc.) and its scope?||Information about the type of incident that has occurred, how long it has been present, and the extent to which customers or end users may have been impacted.|
|Could the security incident have had any impact on end user data? If so, will those end users be notified in accordance with any applicable laws or contractual agreements?||End user data includes names of end users, company names, physical or email addresses, phone numbers (Atlassian collected end user data) or any other information or data you have collected from end users.|
If end user data has been impacted, also provide information on the likely number of customers impacted.
|What type of data was included in the data breach?||If data was breached or leaked, list the types of data included. This can include data other than end user data.|
|Do you have an anticipated / expected timeframe in which you expect the incident will be resolved?||Estimates you might have as to how long it will take for you to resolve the incident and your reasons for the timeframes provided.|
|What measures have been taken so far, or do you plan to take, to contain the incident?||Describe what action was (or will be) taken to contain the security incident, and in particular prevent further exposure or loss of End User Data.|
|What is your plan for communicating with end users regarding this incident?||Describe any communications you have already made or plan to make to end users regarding the incident.|
|Has the underlying issue / cause of the incident been identified? If so, please provide details.||Describe the results of any investigations that have been undertaken to identify the underlying issue(s) / root causes of the security incident.|
|What remedial actions have been taken to remove the root cause of the incident and prevent similar incidents occurring in future?||Describe the remedial or corrective actions – both in terms of technical and organisational controls – to prevent similar incidents happening in the future.|
|What are the contact details for the appropriate person to contact on this issue should Atlassian wish to communicate further?||Provide email address and phone number at minimum.|
Contain the incident as rapidly as possible to prevent further impacts to customers, including the potential loss of End User Data.
This may require making the decision to temporarily restrict access by end users to your app. For example, you might delist your app from the Marketplace while remedial action is being implemented.
Atlassian will liase with you regarding options here.
Keep in contact with Atlassian no less than every 6 hours to provide updates on the progress of remediation efforts and details of specific actions taken.
In the case of a security incident involving one of your Marketplace apps, depending on the context and data involved it is important you consider communicating the details of the incident to affected customers, including what action you are taking in response. When possible, Atlassian recommends notifying customers within 72 hours of identification of an incident.
See the template for security incident communication for guidance as to the matters that should ideally be covered in an incident notification involving a Marketplace app.
For communicating information about a security vulnerability to your customers, please refer to the vulnerability notification template provided for that purpose.
During the aftermath of an incident, it’s important to remain vigilant to confirm the incident has indeed been fully resolved, and to identify any lessons you can take into account for future incidents to handle them better. Make sure to consider the following:
Are there any indicators of compromise that are still present? (monitoring tools can also be used to help confirm this)
Are there any lessons that have been learned from the response to the incident that need to be used to update your organization’s incident response process? Are there any lessons to reduce time taken to investigate or resolve the situation?
Have any actions been taken to reduce the chances of a similar future security compromise?
Does your logging need to be improved in order to expedite investigation for any future incidents?
Do your external cyber security advisers / incident response firm agree the incident is resolved?
Once you have conducted a post incident review, Atlassian may engage with you further to discuss the findings. You should also submit any details regarding findings from the post incident review via the ticket you used to raise the incident.
It is your responsibility to be aware of what your specific legal obligations (whether contractual or regulatory) are across the jurisdictions in which you operate, and ensure you comply with them. The loss or compromise of End User Data in particular can raise additional legal obligations on your part (including in some cases mandatory notification to affected end users, customers, and data protection authorities), which you may need to comply with.
You may also be asked by Atlassian to certify that the incident has been satisfactorily resolved, that you have complied with all relevant legal obligations in relation to notifying End Users, as well as a range of other matters. You will be notified if this is the case.
For pointers on how to be effectively prepared for responding to cyber security incidents, read Preparing for a security incident.