Last updatedFeb 14, 2019

App vulnerability notification template

This template is provided for Atlassian Marketplace app vendors who have become aware of a critical vulnerability in their app (whether or not end user data has been compromised) and are looking to communicate information about the vulnerability to their customers. It provides guidance as to the matters that should ideally be covered in a vulnerability notification involving a Marketplace app.

Necessary information for communication to your customers

You will need the following information to complete this template:

InformationDescription
App nameThe name of your Marketplace app.
Version numberVersion of your app in which the vulnerability was identified.
Affected versionsA list of all app versions affected by this vulnerability.
Nature of vulnerability

A concise description of what the identified vulnerability and its potential impacts is in 2-3 sentences. Consider covering what could potentially be done with that vulnerability by a malicious party.

For example, this might be an issue in your Marketplace app which meant that customer data could have been exposed to other users of the App, or that a critical vulnerability was discovered which allowed your app to be hacked, which could potentially have exposed end user data.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
	</tr>
	<tr>
		<td valign="top"><b>Source of vulnerability identification</b></td>
		<td valign="top">
		<p>How you learned about the existence of this issue. 

		For example, you may have received notification from another party, or through self-discovery, etc.</p>

		</td>
	</tr>
	<tr>
		<td valign="top"><b>Investigation details</b></td>
		<td valign="top"><p>What actions you undertook as part of investigating the vulnerability to confirm it's potential scope and impact.</p></td>
	</tr>
	<tr>
		<td valign="top"><b>Remediation actions</b></td>
		<td valign="top"><p>What you actions you are taking (or have taken) to fix the vulnerability.</p></td>
	</tr>
	<tr>
		<td valign="top"><b>Information about likelihood of exploitation / real-world impacts</b></td>
		<td valign="top"><p>Details of whether the vulnerability is likely to have been exploited or resulted in actual impacts to customers. For example, if there any evidence in logs that indicates the vulnerability has been actively exploited, the number of customers is likely to have been affected, etc.</p></td>
	</tr>

</tbody>

Communication principles for vendors

  • Be honest
  • Be thorough
  • Don't be tricky and don't try to hide

Vulnerability notification template for cloud apps

The following template provides guidance as to how your communications with customers should look, including content that needs to be covered. Sections in brackets will need to be customised or removed based on the circumstances of your specific case.

Hello,

We are writing to inform you of a security vulnerability that was recently identified in the Marketplace app name. The vulnerability affects version number(s) of the Marketplace app name developed by us. The vulnerability means that nature of vulnerability including whether any end user data may have been compromised. period vulnerability was present (for example, specific date and times).

This vulnerability has been rated as severity rating (for example, medium, critical, etc.), according to the scale published on the Common Vulnerability Scoring System (CVSS).

The vulnerability was identified / brought to our notice by identification source and when. Once we became aware of the issue, we investigation details]. Based on what we found, remediation actions have been taken ensure that this vulnerability is now fixed.

Based on our investigations, the vulnerability has led to the following impacts / is not likely to have had any impacts on you. information about real-world impacts.

We are working with Atlassian to update the Atlassian Marketplace with an updated listing of our app that is free from this vulnerability. No further action is required from you at this point.

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.

If you have any questions, please feel free to raise a support request at support.atlassian.com referencing issue number.

Sincerely,

Representative Name
Marketplace vendor name

Vulnerability notification template for server apps (P2, plugin)

The communication template below is nearly identical to the template above for cloud-based apps. The main difference is in the section explaining how the customer will need to apply the app update to their server instance.

Hello,

We are writing to inform you of a security vulnerability that was recently identified in the Marketplace app name. The vulnerability affects version number(s) of the Marketplace app name developed by us. The vulnerability means that nature and period of vulnerability.

This vulnerability has been rated as severity rating (for example, medium, critical, etc.), according to the scale published on the Common Vulnerability Scoring System (CVSS).

The vulnerability was identified / brought to our notice by identification source and when. Once we became aware of the issue, we actions taken (for example, internal investigation). Based on what we found, remediation actions have been taken ensure that this vulnerability is now fixed.

Based on our investigations, the vulnerability has led to the following impacts / is not likely to have had any impacts on you. If applicable describe potential impacts on customers, including number affected and whether end user data is likely to have been compromised.

In order to fix the vulnerability in your environment, directions for updating app to fixed version.

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you and our other customers.

If you have any questions, please feel free to raise a support request at support.atlassian.com referencing issue number.

Sincerely,

Representative Name
Marketplace vendor name

Example email notification

The example below shows a vendor communication about a vulnerability for a cloud app.

Hello,

We are writing to inform you of a vulnerability in Sample App that inadvertently exposed your data to another Sample Inc. customer. The vulnerability affects version 2.7 of the app developed by us. The vulnerability means that data that included user names, session titles, and notes, was exposed. The exposure occurred on 1 January 2019 at approximately 22:00 PST.

This vulnerability has been rated as critical, according to the scale published on the Common Vulnerability Scoring System (CVSS).

The vulnerability was brought to our notice on 2 January 2019 at approximately 09:00 PST by the user who noticed the issue. Once we became aware of the issue, we took immediate action to investigate the matter. Based on what we found, we were able to identify where the issue lies in our app code and implement changes to our code to ensure that this vulnerability is now fixed.

Based on our investigations, including analyzing our log files, the vulnerability has led to your data being viewable to a very limited number of other users (in most cases only a single user) of the app. This data would have been displayed in the list of recent sessions accessible by the user. We do not have any evidence to suggest that any of your payment data or contact information was exposed.

We are working with Atlassian to update the Atlassian cloud environment with an updated version of our app that is free from this vulnerability. No further action is required from you at this point.

We want you to know that we take this issue very seriously. We are conducting a thorough review of our internal processes to ensure this does not occur again for you or other customers. Please accept our sincere apologies for any inconvenience this may have caused.

If you have any questions please feel free to raise a support request at support.atlassian.com referencing ACME-1234.

Sincerely,

A. Smith
Sample Inc.