To enhance the security of all Marketplace apps, we are introducing a security questionnaire for Marketplace partners. This questionnaire will be part of the app listing and app review processes. Our goal is to ensure partners are aware of and adhere to security best practices, thereby raising the overall security baseline of the Atlassian Marketplace.
While we currently do not enforce these security practices as requirements, we strongly recommend partners implement them to enhance your organization's security posture. These measures represent industry best practices and can significantly reduce security risks.
In addition to this security questionnaire, partners are required to complete Know Your Business (KYB) and Know Your Customer (KYC) verification through Atlassian's designated vendor. More details on the verification process will be published prior to the security policy rollout.
| Category | Questions |
|---|---|
| Company Information | 1. How many people are employed at your company? [ ] Micro-sized business: 1-9 employees [ ] Small business: 10-49 employees [ ] Medium-sized company: 50-249 employees [ ] Large company: 250 or more employees |
| 2. Have you ever been banned or revoked from Atlassian Marketplace? (Yes/No) | |
| Workstation and Account Security | 3. Do you use any kind of Anti-Virus or Endpoint protection products on your workstations? (Yes/No) |
| 4. Have you enabled full disk encryption (FDE) on workstations you use for app development activities? (Yes/No) | |
| 5. Do you have a patch management process in place to keep operating systems and software up to date on your workstations? (Yes/No) | |
| 6. Is Multi-Factor Authentication (MFA) required for all accounts accessing company systems? (Yes/No) | |
| Infrastructure Security | 7. Do you encrypt data at rest on your app servers (AES256 or equivalent is recommended)? (Yes/No) |
| a. If yes, do you also encrypt your backup data? (Yes/No) | |
| 8. Do you maintain logs with timestamps for the following information? (Yes/No) [ ] Failed login attempts: Track unsuccessful login attempts to identify potential unauthorized access attempts. [ ] Session activity logs: Monitor user session activities to detect any unusual behavior. [ ] App event logs: Recording key events to identify unauthorized or suspicious activities within the app. [ ] API access logs: Record API calls made by users or bots, including timestamps and response statuses. [ ] Change to permissions: Document any changes made to user roles and permissions within the app and cloud based environment. [ ] Data export and import logs: Keep track of any data exports or imports, including who performed the action and when. [ ] Third-party integrations: Monitor logs related to third-party app integrations and their activities. [ ] Application configuration changes: systematically recording all modifications made to the app's settings and configurations. [ ] Administrative actions: Log all admin activities such as creating or modifying users [ ] User Agent / IP Address: The user agent strings and IP addresses (and therefore countries) of user logins, especially admin users. [ ] Multi Factor Auhnetication (MFA) activities: 2FA devices added or removed from your account. | |
| 9. Do you log sensitive data like credentials, API/access tokens, passwords, or unnecessary personal information? (Yes/No) | |
| 10. Do you store logs for at least the last 12 months of events relating to your IT environment? (Yes/No) | |
| 11. Do you have a log monitoring system in place that triggers alerts for any detected anomalies? (Yes/No) | |
| Development | 12. Is Multi-Factor Authentication (MFA) required to access your source code management system (i.e Bitbucket, Github, etc.)? (Yes/No) |
| 13. Are pull requests required to push changes to production code? (Yes/No) | |
| 14. Do pull requests require peer approval? (Yes/No) | |
| 15. Have you reviewed the OWASP top 10 for the most common security risks when creating apps? (Yes/No) | |
| 16. Is security testing integrated into your development process? (Yes/No) | |
| 17. Do you ensure that the libraries or frameworks you are using are free from vulnerabilities? (Yes/No) | |
| 18. Do you manage and rotate API keys and secrets periodically? (Yes/No) | |
| Policy, Processes and Documentation | 19. Do you enforce a strong password policy within your company? (Yes/No) |
| 20. Do you possess a comprehensive incident response plan that outlines the steps to be taken in the event of a security incident or breach? (Yes/No) | |
| Bug Bounty & Pentest | 21. Do you participate in the Marketplace security bug bounty program? (Yes/No) |
| a. If no, do you host your bug bounty program with a different provider other than Bugcrowd? | |
| b. If no, are you interested in onboarding to our Marketplace security bug bounty program? | |
| 22. Do you perform regular penetration testing in-house or with an external vendor? (Yes/No) | |
| Audits & Certifications | 23. Do you currently hold any compliance certifications relevant to your domain, such as ISO, PCI, HIPAA, or SOC 2? (Yes/No) |
| a. If yes, can you provide the list of all the certifications? | |
| 24. Do you conduct any external security audits/assessments for regulatory compliance? (Yes/No) | |
| a. If yes, would you like to share any reports with us? | |
| Vulnerability Management | 25. Do you perform vulnerability scans and review results? (Yes/No) |
| a. If yes, Please select the type of scans performed: [ ] SAST - Static Analysis Scans (Code) [ ] DAST - Dynamic Analysis Scans (Live) [ ] SCA - Dependency / Open-Source Library Scans (Library) | |
| 26. Have you read our Marketplace security bug fix policy? (Yes/No) | |
| 27. Do you plan to notify customers and Atlassian in the case of a security incident or a critical vulnerability on your app? (Yes/No) | |
| a. If yes, have you read our security incident notification guide? (Yes/No) | |
| 28. Have you identified a security contact for the app and had them create an account on ecosystem.atlassian.net (Yes/No) |
Rate this page: