This guide explains how Atlassian Marketplace partners and Atlassian Security collaborate during security incidents involving Marketplace apps and customer data. It covers how to report an incident, what qualifies for a collaborative response, what data Atlassian can share with you, and the conditions that govern that sharing.

The program is mainly intended for Marketplace partners building apps on Forge, though the level of support varies by hosting model. For Forge Remote apps, Connect on Forge and Connect apps, partners remain responsible for server-side logging on their own infrastructure.

This page builds on the App security incident management guidelines and sets out how the enhanced, collaborative incident response works for Platinum partners and eligible Enterprise apps that qualify for the new Marketplace trust signal.

When should you notify Atlassian?

Before engaging this program, review our incident definition and use the checklist below to decide whether your situation is a security incident that needs joint investigation with Atlassian.

Notify Atlassian if any of the following apply:

You have confirmed or strongly suspect that your Marketplace app has been compromised (for example, unauthorized code changes, or stolen API/OAuth tokens or credentials).
Customer data that flows through your app may have been accessed, exfiltrated, or manipulated without authorization.
Your Forge app is exhibiting suspicious behavior that you cannot diagnose from your own logs or backend (for example, unexpected API calls).
You have discovered a supply-chain compromise affecting a dependency of your Marketplace app.
An external party (for example, a customer, researcher, or threat intelligence source) has reported credible evidence of exploitation of your app.
A threat actor is actively exploiting a vulnerability in your app.
Any other critical security escalation related to your app.

You likely do not need to open a security incident if:

Your app has a functional bug or performance issue with no evidence of security impact.
A customer reported an error that appears to be a misconfiguration.
You are responding to a routine bug bounty report that has no evidence of exploitation. (unless its a critical with high customer impact)

When in doubt, report it

Atlassian Security will triage and confirm the severity. Early notification reduces customer impact.

Who is eligible

Partner / app type	Support level
All Marketplace partners and Forge apps	Async support via a developer support ticket and/or email.
Platinum partners	Joint incident response collaboration (real-time coordination, log sharing, collaborative IR).
Enterprise Forge apps (new trust signal)	Joint incident response collaboration (real-time coordination, log sharing, collaborative IR).
Forge Remote / Connect on Forge / Connect apps	Atlassian's assistance is limited to platform-level data (such as app telemetry and product API calls), because app compute runs on external infrastructure with no Atlassian visibility into server-side logs or runtime behavior.

Server and Data Center apps are not in scope, which run on customer-managed infrastructure outside Atlassian's visibility.

Eligibility for real-time collaboration is assessed during incident triage and is at Atlassian's discretion. If your partner tier changes, contact your Partner Manager to confirm your current eligibility.

Where to report

Submit all security incidents through the developer support portal: https://ecosystem.atlassian.net/servicedesk/customer/portal/34/group/109/create/4769

What happens next?

Creates a shared support ticket that serves as the system of record for you and Atlassian.
Notifies the Atlassian Incident Response team, who begin triage.
Lets Atlassian Incident Response team review severity and confirm eligibility (Platinum or Enterprise app, and a confirmed security event).

Atlassian Incident Response team then makes a decision:

For qualified events, Atlassian Incident Response sets up collaboration channels and begins a joint investigation.
For other events, Atlassian Security provides async guidance and updates through the developer support ticket.

Atlassian may also initiate this process on your behalf if Atlassian Security detects a security issue with your app.

If you cannot access the developer support portal, go to Atlassian Support and select security concern in drop down, or email security@atlassian.com.

Collaboration channels for qualified incidents

For qualified incidents, Atlassian sets up the channels below. If your organization cannot use a given tool, coordination happens over email and scheduled calls.

Channel	Purpose
Support ticket	System of record. All key decisions, timelines, and evidence references are captured here.
Email	Formal updates and async communication when real-time channels are unavailable.
Real-time chat	Primary real-time coordination via Slack channel during the incident.
Live war room	Live incident coordination via Zoom for high-severity events.
Secure file exchange	Bidirectional exchange of logs and artifacts via secure Google Drive.

What to include in your report

Provide as much detail as you have at the time of submission. Update the ticket as your investigation progresses — don't wait until you have complete information.

Field	What to include
Incident summary	What happened, what you have done so far, and the current status.
Affected app details	App name, app key, Forge app ID, environment (development / staging / production), and distribution status (public / unlisted / private).
Impact assessment	Suspected data exposure type, estimated number of affected tenants or customers, and affected Atlassian products.
Timestamps	Timeline of events: when first observed, when detected internally, and when containment began.
Indicators of compromise (IOCs)	Suspicious account IDs (AAIDs), IP addresses, unusual API endpoints, unexpected scope or egress changes, and malformed requests.
Attachments	Any initial logs, screenshots, or artifacts.
Incident contacts	Primary and secondary contacts: name, role, email, and phone.

Atlassian can share logs and telemetry that relate specifically to your app's activity on Atlassian platforms. The categories below are a high-level overview of the types of logs typically shared. All sharing is governed by data minimization, privacy review, and incident-relevance principles, and is subject to the constraints listed below.

Log / telemetry category	Description
App metadata and installation footprint	App listing metadata and installation footprint that help identify your app, understand where it is installed, and determine which customers, tenants, environments, or workspaces may be affected.
App versions, configuration, and lifecycle events	Logs describing how your app's versions and configuration changed over time, including install, uninstall, and update events. Used to reconstruct which version, permissions, and network settings were in place at the time of an incident.
Developer tooling and tunnel usage	Limited Forge CLI logs relevant to IR, such as Forge tunnel creation events and app creation metadata. Used to understand who last interacted with the app's development tooling around the incident.
Runtime, deployment, and webhook events	Logs describing when your Forge app environments are created, updated, and deployed, including storage and webhook triggers, scope/permission updates, CDN deployments, and manifest updates.
App activity logs	Logs showing how your app interacted with Atlassian Cloud products during the incident window. Where customer-identifying data is present, fields are minimized or pseudonymized, and sharing is subject to Atlassian Legal/Privacy review. Currently limited to Premium and Enterprise tier tenants only.

Log provisioning depends on the incident. Atlassian Incident Response team determines relevance and shares the logs needed to scope and remediate the issue, applying data-minimization throughout.

Incident scope only. Logs are extracted for a specific time window and app, tied to the incident under investigation. Logs aren't shared in bulk or for ongoing monitoring.
12-month maximum look-back. Log sharing is limited to a maximum of 12 months before the incident. Older logs aren't available.
Cold storage threshold. Logs in cold storage are retrieved only when active exploitation of customer data is confirmed, due to cost and retrieval time. Atlassian IR makes this determination during triage.
Customer personal data requires Legal approval. Any log containing customer account IDs, source IP addresses, or customer email domains requires Atlassian Legal/Privacy review and approval before sharing. Atlassian IR starts this process and tells you the expected timeline.
Data classification compliance. Logs classified as RESTRICTED are encrypted in transit and at rest and must be handled accordingly on your side.
No direct log access. Partners don't get direct access to Atlassian's logging services. All logs are extracted, reviewed, and delivered by Atlassian Incident Response.
Data retention after the incident. Shared logs must be deleted within 90 days of incident closure unless a legal hold applies.

How to handle shared logs and data

When Atlassian shares logs or data with you during an incident:

Handle all shared data as confidential. Don't share it outside your immediate incident response team without Atlassian's approval.
Store it securely. Keep shared files in access-controlled, encrypted storage. Don't store them on personal devices or unmanaged cloud services.
Use it only for incident remediation. Shared data may be used only to investigate and remediate the specific incident.
Report any inadvertent exposure. If you accidentally expose or lose control of any Atlassian-shared data, notify Atlassian immediately on the ticket or at security@atlassian.com.

Partner Responsibilities

Under the Marketplace Partner Agreement, partners must maintain current security incident contacts and respond promptly to Atlassian communications during security events. If your team does not acknowledge Atlassian's outreach, Atlassian may take unilateral containment action (such as disabling your app) to protect customer data when there is imminent threat. To remain eligible for this program and receive timely collaborative support, partners must:

Maintain current incident contacts: Provide at least one primary and one secondary contact for 24/5 support, and update them whenever your team changes.
Respond promptly: Acknowledge Atlassian outreach within 8 hours, then begin containment based on the nature and severity of the incident.
Execute mitigations: Implement the containment and remediation steps agreed during the investigation (for example, credential rotation, scope reduction, patching, or hotfix deployment).
Notify your customers: You are responsible for notifying your customers of incidents involving the app or their data, in line with your legal obligations and any timelines Atlassian advises.
Handle shared data responsibly. Follow the data handling requirements above.

Roles and Responsibilities Overview

Role	Responsibilities
Atlassian Security / Incident Response	Drives triage and investigation, runs log queries, coordinates platform log sharing with approval, sets up collaboration channels for qualified incidents, and drives platform-side containment.
Partner	Submits accurate incident details, provides current contacts, shares logs as requested, investigate, contain, executes mitigations, notifies customers, and provides a root cause analysis.

Framework-specific Guidance

The following table outlines where each app framework runs its compute and what Atlassian can see and support during an incident.

Framework	Where Compute Runs	Atlassian Visibility & Support
Runs on Atlassian Forge apps	Built and deployed entirely on the Atlassian Forge platform. These apps don't natively egress data, and all components run within Atlassian's infrastructure.	Atlassian has comprehensive telemetry — including runtime invocation logs, lifecycle events, deployment history, and app activity traces. During an incident, Atlassian can fully support your investigation through available platform logs. This is the architecture with the fullest Atlassian support under this program.
Forge Remote apps	Delegate compute or processing to a remote host you own and operate. This split determines what Atlassian can and cannot see, making incident response a shared responsibility.	Atlassian has visibility into the Forge layer that invokes your remote host. The remote compute itself is not visible to Atlassian, so you must use your own backend logs to investigate activity on your host.
Connect on Forge / Connect apps	The app's runtime is completely hosted on your own infrastructure.	Atlassian provides platform-side telemetry (for example, product API calls and webhook event data), but you must use your own backend logs to investigate activity on your host.
Server / Data Center apps	Run on customer-managed infrastructure.	Outside the scope of this program. Atlassian has no visibility into customer-managed infrastructure.

FAQs

Can Atlassian initiate an incident on our behalf? Yes. If Atlassian Security detects suspicious activity related to your app, Atlassian uses the same developer support portal to open a ticket and engage your incident contacts directly.

We're not a Platinum partner — can we still report? Yes. Any Marketplace partner can submit a report via the developer support portal. Non-Platinum partners receive async support and guidance.

Can we get logs proactively, before an incident happens? No. Log sharing under this program is strictly limited to confirmed or strongly suspected security incidents. Proactive or on-demand log access outside of incidents isn't available.

Can we request logs older than 12 months? No. The maximum look-back period is 12 months. Cold storage retrieval is authorized only when active exploitation of customer data is confirmed, due to cost and retrieval time. Atlassian Incident Response makes this determination during triage.

What if we need logs with PII/UGC data (such as account IDs, IP addresses)? Atlassian Legal/Privacy must approve this before it's shared. Atlassian Incident Response starts the approval process. Expect a few business days for this step. These logs are encrypted in transit and must be handled as RESTRICTED data on your end.

Who do we contact with questions outside of an active incident? Reach out to your Partner Manager or the Developer and Marketplace support.