Atlassian hosts public bug bounty programs to provide a central channel for anyone to report security vulnerabilities identified in Atlassian products. If you identify a security vulnerability on any Atlassian product or Marketplace app that you do not own, you can report them using one of the methods listed here.
AMS is considered the single source of truth for security vulnerabilities in third-party Marketplace apps. Vulnerabilities from any source, including bug bounty, scanners, security reviews, and external reports are funneled into AMS and then tracked for remediation. For more information about the Ecosystem Vulnerability Management framework see Vulnerability management for Marketplace apps.
You can manually raise an AMS ticket to report a security vulnerability on your Marketplace app. Additional instructions on when to manually raise an AMS ticket are explained below.
When you are notified of (or become aware of) a possible security vulnerability on your Marketplace app and the vulnerability is not reported through your Marketplace Security Bug Bounty Program, you can manually raise a Security Vulnerability issue type in AMS to notify Atlassian.
While we do not mandate reporting every single vulnerability you become aware of, following scenarios would help you decide when you would want to raise a ticket in AMS,
When you are aware of a vulnerability, but unsure how to fix or need Atlassian’s input in resolving it.
When you need help investigating/understanding the impact of a vulnerability.
When you want to keep Atlassian informed and use our AMS project to track vulnerability remediation.
Reporting vulnerability vs security incident
Only the security vulnerabilities on Marketplace apps must be reported to AMS. All security incidents must follow incident management guidelines and must be notified to Atlassian by raising an app security incident ticket.
Anyone from the Marketplace Partner organization can run this play.
| Action | |
|---|---|
| 1 | Login to Atlassian Marketplace Security(AMS). |
| 2 | Check whether the vulnerability has already been raised by searching existing issues. Note: You can narrow down your search by app (use Marketplace App Name or Marketplace App Key fields) or partner (use Partner Name or Partner ID fields). |
| 3 | Score the security vulnerability you are reporting using the CVSS calculator. Note the numerical score, the URL of the corresponding CVSS vector, and the vulnerability severity level. Note: For more information about how to score security vulnerabilities, see CVSS v3.0 User Guide |
| 4 | If the issue has not already been raised in AMS, create a new issue and set only the below mentioned fields. From the Create issue screen: 1. Set Project to Atlassian Marketplace Security.2. Set Issue Type to Security Vulnerability.3. Provide a brief Summary of the vulnerability you are reporting.4. Provide the Description of the vulnerability. Include as much information as possible, such as reproduction steps, impact, and remediation strategies.5. Populate Assignee by assigning the issue to yourself or respective contact from your organization.6. Set the CVSS V3 Score, CVSS V3 URL, and Vulnerability Severity Level fields to values you obtained from Step 3.7. Set the Source field to Partner Report.8. Select the appropriate Vulnerability Class.9. Set Partner Name, Partner URL, Partner ID, Marketplace App Key, and Marketplace App Name as listed on Marketplace.10. Set the Hosting field to describe hosting version of the app.11. Leave the rest of the fields blank or in their default state. 12. Create the ticket. Note: Our automation will automatically add partner contacts to partner participants field and set the corresponding remediation SLA based on the severity of the vulnerability. For more information on issue fields, refer Marketplace Vulnerability Tracking | fields |
| 5 | Once an AMS ticket is created, optionally you can transition the ticket to Atlassian Input Requested if you need assistance from Atlassian.Our Security Engineer will respond to your query on the ticket. |
Rate this page: