Rate this page:
Atlassian hosts public bug bounty programs to provide a central channel for anyone to report security vulnerabilities identified in Atlassian products. If you identify a security vulnerability on any Atlassian product or Marketplace app that you do not own, you can report them using one of the methods listed here.
AMS is considered the single source of truth for security vulnerabilities in third-party Marketplace apps. Vulnerabilities from any source, including bug bounty, scanners, security reviews, and external reports are funneled into AMS and then tracked for remediation. For more information about the Ecosystem Vulnerability Management framework see Vulnerability management for Marketplace apps.
You can manually raise an AMS ticket to report a security vulnerability on your Marketplace app. Additional instructions on when to manually raise an AMS ticket are explained below.
When you are notified of (or become aware of) a possible security vulnerability on your Marketplace app and the vulnerability is not reported through your Marketplace Security Bug Bounty Program, you can manually raise a issue type in AMS to notify Atlassian.
While we do not mandate reporting every single vulnerability you become aware of, following scenarios would help you decide when you would want to raise a ticket in AMS,
When you are aware of a vulnerability, but unsure how to fix or need Atlassian’s input in resolving it.
When you need help investigating/understanding the impact of a vulnerability.
When you want to keep Atlassian informed and use our AMS project to track vulnerability remediation.
Anyone from the Marketplace Partner organization can run this play.
|1||Login to Atlassian Marketplace Security(AMS).|
|2||Check whether the vulnerability has already been raised by searching existing issues.|
Note: You can narrow down your search by app (use or fields) or partner (use or fields).
|3||Score the security vulnerability you are reporting using the CVSS calculator. Note the numerical score, the URL of the corresponding CVSS vector, and the vulnerability severity level.|
Note: For more information about how to score security vulnerabilities, see CVSS v3.0 User Guide
|4||If the issue has not already been raised in AMS, create a new issue and set only the below mentioned fields.|
From the Create issue screen:
1. Set to Atlassian Marketplace Security.
2. Set to Security Vulnerability.
3. Provide a brief of the vulnerability you are reporting.
4. Provide the of the vulnerability. Include as much information as possible, such as reproduction steps, impact, and remediation strategies.
5. Populate by assigning the issue to yourself or respective contact from your organization.
6. Set the , , and fields to values you obtained from Step 3.
7. Set the field to .
8. Select the appropriate .
9. Set , , , , and as listed on Marketplace.
10. Set the field to describe hosting version of the app.
11. Leave the rest of the fields blank or in their default state.
12. Create the ticket.
Note: Our automation will automatically add partner contacts to partner participants field and set the corresponding remediation SLA based on the severity of the vulnerability. For more information on issue fields, refer Marketplace Vulnerability Tracking | fields
|5||Once an AMS ticket is created, optionally you can transition the ticket to if you need assistance from Atlassian.|
Our Security Engineer will respond to your query on the ticket.
Rate this page: