Last updated Sep 28, 2021

Rate this page:

Instructions on manually raising AMS tickets for marketplace partners

Atlassian hosts public bug bounty programs to provide a central channel for anyone to report security vulnerabilities identified in Atlassian products. If you identify a security vulnerability on any Atlassian product or Marketplace app that you do not own, you can report them using one of the methods listed here.

Reporting a security vulnerability on your marketplace app

What is a Vulnerability?

As per AMS, “When there is a threat to the confidentiality, integrity, or availability of Atlassian customer's data through a flaw/weakness in a marketplace app and calculated CVSS score is non-zero, it is considered to be a security vulnerability against the app.”

AMS is considered the single source of truth for security vulnerabilities in third-party Marketplace apps. Vulnerabilities from any source, including bug bounty, scanners, security reviews, and external reports are funneled into AMS and then tracked for remediation. For more information about the Ecosystem Vulnerability Management framework see Vulnerability management for Marketplace apps.

You can manually raise an AMS ticket to report a security vulnerability on your Marketplace app. Additional instructions on when to manually raise an AMS ticket are explained below.

When can you manually raise an AMS ticket?

When you are notified of (or become aware of) a possible security vulnerability on your Marketplace app and the vulnerability is not reported through your Marketplace Security Bug Bounty Program, you can manually raise a Security Vulnerability issue type in AMS to notify Atlassian.

While we do not mandate reporting every single vulnerability you become aware of, following scenarios would help you decide when you would want to raise a ticket in AMS,

Reporting Vulnerability vs Security Incident

Only the security vulnerabilities on Marketplace apps must be reported to AMS. All security incidents must follow incident management guidelines and must be notified to Atlassian by raising an app security incident ticket.

Use the play described below when you want to manually raise an AMS ticket.

Who should run this play?

Anyone from the Marketplace Partner organization can run this play.

Running this play

Action
1Login to Atlassian Marketplace Security(AMS).
2Check whether the vulnerability has already been raised by searching existing issues.

Note: You can narrow down your search by app (use Marketplace App Name or Marketplace App Key fields) or partner (use Partner Name or Partner ID fields).
3Score the security vulnerability you are reporting using the CVSS calculator. Note the numerical score, the URL of the corresponding CVSS vector, and the vulnerability severity level.

Note: For more information about how to score security vulnerabilities, see CVSS v3.0 User Guide
4If the issue has not already been raised in AMS, create a new issue and set only the below mentioned fields.

From the Create issue screen:
1. Set Project to Atlassian Marketplace Security.
2. Set Issue Type to Security Vulnerability.
3. Provide a brief Summary of the vulnerability you are reporting.
4. Provide the Description of the vulnerability. Include as much information as possible, such as reproduction steps, impact, and remediation strategies.
5. Populate Assignee by assigning the issue to yourself or respective contact from your organization.
6. Set the CVSS V3 Score, CVSS V3 URL, and Vulnerability Severity Level fields to values you obtained from Step 3.
7. Set the Source field to Partner Report.
8. Select the appropriate Vulnerability Class.
9. Set Partner Name, Partner URL, Partner ID, Marketplace App Key, and Marketplace App Name as listed on Marketplace.
10. Set the Hosting field to describe hosting version of the app.
11. Leave the rest of the fields blank or in their default state.
12. Create the ticket.

Note: Our automation will automatically add partner contacts to partner participants field and set the corresponding remediation SLA based on the severity of the vulnerability. For more information on issue fields, refer Marketplace Vulnerability Tracking | fields
5Once an AMS ticket is created, optionally you can transition the ticket to Atlassian Input Requested if you need assistance from Atlassian.
Our Security Engineer will respond to your query on the ticket.

Rate this page: