Last updated Oct 21, 2023

Rate this page:

Security Bug Fix Policy

Security is built into the fabric of Atlassian products and apps, so that customers can feel assured that their data is safeguarded.

The Security Bug Fix Policy outlines Atlassian’s security expectations of developers who host apps on the Atlassian Marketplace, specifically regarding security vulnerabilities. Developers must follow this policy to ensure they are protecting our customers' data.

Remediation Due Dates

Most vulnerabilities reported in the Atlassian Marketplace Security (AMS) Jira Project have a “Remediation Due Date”, which is determined by the severity of the vulnerability, and the hosting type. Atlassian requires all apps to meet these due dates.

Cloud apps

The following table outlines a vulnerability’s timeframe for resolution by severity type for cloud apps.

SeverityCVSS ScoreTimeframe for resolution
CriticalCVSS v3 >= 9.0Must be fixed within 4 weeks of being reported or triaged.
HighCVSS v3 >= 7.0Must be fixed within 6 weeks of being reported or triaged.
MediumCVSS v3 >= 4.0Must be fixed within 8 weeks of being reported or triaged.
LowCVSS v3 < 4.0Must be fixed within 25 weeks of being reported or triaged.

Data Center and server apps

The following table outlines a vulnerability’s timeframe for resolution by severity type for Data Center and server apps.

SeverityCVSS ScoreTimeframe for resolution
CriticalCVSS v3 >= 9.0Must be fixed within 12 weeks of being reported or triaged.
HighCVSS v3 >= 7.0Must be fixed within 12 weeks of being reported or triaged.
MediumCVSS v3 >= 4.0Must be fixed within 12 weeks of being reported or triaged.
LowCVSS v3 < 4.0Must be fixed within 25 weeks of being reported or triaged.

Triaging vulnerabilities

  • For most vulnerabilities, the timeframe for resolution begins once the vulnerability is reported in AMS.
  • However, vulnerabilities discovered through the Marketplace Security Bug Bounty Program have a two-week triage period. This period exists for developers to review vulnerabilities discovered through their Bugcrowd programs. Developers are expected to review and respond to vulnerabilities within that period.
  • Vulnerabilities discovered through the Marketplace Security Bug Bounty Program that receive no response within the two-week period are automatically accepted, and the timeframe for resolution begins two weeks after discovery.
  • This triaging rule applies to cloud, Data Center and server apps.

Extensions

Atlassian doesn't accept extension requests for the Remediation Due Date, unless one of the following applies:

  • The patch to a vulnerability results in a breaking change for the customers
  • The vulnerability is caused by the Atlassian platform
  • The patch to vulnerability is dependent on changes to Atlassian’s platform
  • The patch is blocked by a third party
  • The risk associated to the vulnerability has changed

To request an extension, please transition the AMS ticket to "Extension Requested" state . Extensions aren't guaranteed - Atlassian will review and accept requests on a case-by-case basis.

What if I miss the Remediation Due Date?

Failure to meet vulnerability due dates reported in AMS may result in either temporary or permanent enforcement. Atlassian doesn't take enforcement lightly, and we're committed to working with partners to determine a plan in addressing vulnerabilities by their due dates.

The following enforcement happens once the due date is breached. Vulnerabilities that pose the greatest risk to customers will be taken the most seriously. Therefore, there are differences in enforcement based on the severity of the vulnerability and the hosting type.

SeverityCloudData Center & server
CriticalHide the appHide the app
High
  • If the app has no badges, then Atlassian will hide the app on the first day the due date is breached.
  • If the app has at least one badge, then Atlassian will:
    • remove badge(s) on the first day the due date is breached
    • hide the app if the due date is breached for more than 15 days
Hide the app
MediumOnly applies when the enforcement threshold is met, which is 3 active medium due date breaches

  • If the app has no badges, then Atlassian will hide the app on the first day the due date is breached.
  • If the app has at least one badge, then Atlassian will:
    • remove badge(s) on the first day the due date is breached
    • hide the app if the due date is breached for more than 15 days

Hide the app
LowOnly applies when the enforcement threshold is met, which is 4 active low due date breaches

  • If the app has no badges, then Atlassian will hide the app on the first day the due date is breached.
  • If the app has at least one badge, then Atlassian will:
    • remove badge(s) on the first day the due date is breached
    • hide the app if the due date is breached for more than 15 days

Hide the app

Enforcement actions, explained

Critical and High Vulnerabilities

  • During the timeframe for resolution, Atlassian will perform a Security Threat Assessment for critical and high vulnerabilities. This evaluates the threat based on exploitability, timing and impact to Atlassian customers.
  • Vulnerabilities that fail the assessment have severe and urgent risks to customer data, or have been identified as acting maliciously.
  • Critical and high vulnerabilities in apps that fail this assessment are subject to additional and more severe enforcement actions, such as customer notification and, in the most extreme cases, pausing an app. Pausing an app will disable the app from functioning.
  • Atlassian will re-perform the assessment periodically to monitor the threat to customer data until the vulnerability is patched, and reserves the right to change the enforcement actions resulting from the assessment at any time.

Medium and Low Vulnerabilities

For medium and low vulnerabilities, there are enforcement thresholds:

  • Enforcement will only occur once the app reaches 3 active medium Remediation Due Date breaches.
  • Enforcement will only occur once the app reaches 4 active low Remediation Due Date breaches.

Communication expectations

We require developers to maintain communication with us.

In AMS, Atlassian will contact the app’s security contacts regarding the outstanding vulnerability for up to 90 days.

If we don't hear from the partner within 90 days, and the partner doesn't make clear efforts to address and fix the vulnerability, Atlassian will pause the app from the Atlassian Marketplace, in addition to the enforcements listed in the above table.

Rate this page: