Last updated Oct 8, 2023

Security Bug Fix Policy

Security is built into the fabric of Atlassian products and apps, so that customers can feel assured that their data is safeguarded.

The Security Bug Fix Policy outlines Atlassian’s security expectations of developers who host apps on the Atlassian Marketplace, specifically regarding security vulnerabilities. Developers must follow this policy to ensure they are protecting our customers' data.

Remediation Due Dates

Most vulnerabilities reported in the Atlassian Marketplace Security (AMS) Jira Project have a “Remediation Due Date”, which is determined by the severity of the vulnerability, and the hosting type. Atlassian requires all apps to meet these due dates.

Cloud apps

The following table outlines a vulnerability’s timeframe for resolution by severity type for cloud apps.

Severity	CVSS Score	Timeframe for resolution
Critical	CVSS v3 >= 9.0	Must be fixed within 4 weeks of being reported or triaged.
High	CVSS v3 >= 7.0	Must be fixed within 6 weeks of being reported or triaged.
Medium	CVSS v3 >= 4.0	Must be fixed within 8 weeks of being reported or triaged.
Low	CVSS v3 < 4.0	Must be fixed within 25 weeks of being reported or triaged.

Data Center and server apps

The following table outlines a vulnerability’s timeframe for resolution by severity type for Data Center and server apps.

Severity	CVSS Score	Timeframe for resolution
Critical	CVSS v3 >= 9.0	Must be fixed within 12 weeks of being reported or triaged.
High	CVSS v3 >= 7.0	Must be fixed within 12 weeks of being reported or triaged.
Medium	CVSS v3 >= 4.0	Must be fixed within 12 weeks of being reported or triaged.
Low	CVSS v3 < 4.0	Must be fixed within 25 weeks of being reported or triaged.

Triaging vulnerabilities

For most vulnerabilities, the timeframe for resolution begins once the vulnerability is reported in AMS.
However, vulnerabilities discovered through the Marketplace Security Bug Bounty Program have a two-week triage period. This period exists for developers to review vulnerabilities discovered through their Bugcrowd programs. Developers are expected to review and respond to vulnerabilities within that period.
Vulnerabilities discovered through the Marketplace Security Bug Bounty Program that receive no response within the two-week period are automatically accepted, and the timeframe for resolution begins two weeks after discovery.
This triaging rule applies to cloud, Data Center and server apps.

Extensions

Atlassian doesn't accept extension requests for the Remediation Due Date, unless one of the following applies:

The patch to a vulnerability results in a breaking change for the customers
The vulnerability is caused by the Atlassian platform
The patch to vulnerability is dependent on changes to Atlassian’s platform
The patch is blocked by a third party
The risk associated to the vulnerability has changed

To request an extension, please transition the AMS ticket to "Extension Requested" state . Extensions aren't guaranteed - Atlassian will review and accept requests on a case-by-case basis.

What if I miss the Remediation Due Date?

Failure to meet vulnerability due dates reported in AMS may result in either temporary or permanent enforcement. Atlassian doesn't take enforcement lightly, and we're committed to working with partners to determine a plan in addressing vulnerabilities by their due dates.

The following enforcement happens once the due date is breached. Vulnerabilities that pose the greatest risk to customers will be taken the most seriously. Therefore, there are differences in enforcement based on the severity of the vulnerability and the hosting type.

Severity	Cloud	Data Center & server
Critical	Hide the app	Hide the app
High	If the app has no badges, then Atlassian will hide the app on the first day the due date is breached. If the app has at least one badge, then Atlassian will: remove badge(s) on the first day the due date is breached hide the app if the due date is breached for more than 15 days	Hide the app
Medium	`Only applies when the enforcement threshold is met, which is 3 active medium due date breaches` If the app has no badges, then Atlassian will hide the app on the first day the due date is breached. If the app has at least one badge, then Atlassian will: remove badge(s) on the first day the due date is breached hide the app if the due date is breached for more than 15 days	Hide the app
Low	`Only applies when the enforcement threshold is met, which is 4 active low due date breaches` If the app has no badges, then Atlassian will hide the app on the first day the due date is breached. If the app has at least one badge, then Atlassian will: remove badge(s) on the first day the due date is breached hide the app if the due date is breached for more than 15 days	Hide the app

Enforcement actions, explained

Hiding an app will hide the app from the Atlassian Marketplace and the Atlassian Universal Plugin Manager. New customers won't be able to install the app.
Badge Removal removes the Cloud Security Participant Badge from the Atlassian Marketplace.
- Apps that have the Cloud Fortified App Badge will also have this badge removed, since the Cloud Security Participant Badge is a requirement for the Cloud Fortified App Badge.
- Badge removal also includes removing the checkmark that identifies an app as a participant in the Marketplace Bug Bounty Program.

Critical and High Vulnerabilities

During the timeframe for resolution, Atlassian will perform a Security Threat Assessment for critical and high vulnerabilities. This evaluates the threat based on exploitability, timing and impact to Atlassian customers.
Vulnerabilities that fail the assessment have severe and urgent risks to customer data, or have been identified as acting maliciously.
Critical and high vulnerabilities in apps that fail this assessment are subject to additional and more severe enforcement actions, such as customer notification and, in the most extreme cases, pausing an app. Pausing an app will disable the app from functioning.
Atlassian will re-perform the assessment periodically to monitor the threat to customer data until the vulnerability is patched, and reserves the right to change the enforcement actions resulting from the assessment at any time.

Medium and Low Vulnerabilities

For medium and low vulnerabilities, there are enforcement thresholds:

Enforcement will only occur once the app reaches 3 active medium Remediation Due Date breaches.
Enforcement will only occur once the app reaches 4 active low Remediation Due Date breaches.

Communication expectations

We require developers to maintain communication with us.

In AMS, Atlassian will contact the app’s security contacts regarding the outstanding vulnerability for up to 90 days.

If we don't hear from the partner within 90 days, and the partner doesn't make clear efforts to address and fix the vulnerability, Atlassian will pause the app from the Atlassian Marketplace, in addition to the enforcements listed in the above table.