Security Bug Fix Policy For Marketplace Apps

Security is built into the fabric of our products and marketplace, and is a huge priority for Atlassian so that customers can feel assured that their data is safeguarded. The Security Bug Fix Policy outlines Atlassian’s security expectations of developers who host apps on the Atlassian Marketplace, specifically regarding security vulnerabilities. In order to operate without interruption in the Atlassian Marketplace, developers must follow this Security Bug Fix Policy to do their part in protecting our customers' data.

Remediation Due Dates

Most vulnerabilities reported in the Atlassian Marketplace Security (AMS) Jira Project have a “Remediation Due Date.” Atlassian requires all apps to meet vulnerability due dates reported in AMS. The Remediation Due Date is determined by the severity of the vulnerability, and the hosting type.

Cloud Apps

The following table outlines a vulnerability’s timeframe for resolution by severity type for cloud apps.

Severity	CVSS Score	Timeframe for resolution
Critical	CVSS v3 >= 9.0	Must be fixed within 4 weeks of being reported or triaged.
High	CVSS v3 >= 7.0	Must be fixed within 6 weeks of being reported or triaged.
Medium	CVSS v3 >= 4.0	Must be fixed within 8 weeks of being reported or triaged.
Low	CVSS v3 < 4.0	Must be fixed within 25 weeks of being reported or triaged.

Data Center and Server Apps

The following table outlines a vulnerability’s timeframe for resolution by severity type for data center and server apps.

Severity	CVSS Score	Timeframe for resolution
Critical	CVSS v3 >= 9.0	Must be fixed within 90 days of being reported or triaged.
High	CVSS v3 >= 7.0	Must be fixed within 90 days of being reported or triaged.
Medium	CVSS v3 >= 4.0	Must be fixed within 90 days of being reported or triaged.
Low	CVSS v3 < 4.0	Must be fixed within 180 days of being reported or triaged.

Triaging Vulnerabilities

For most vulnerabilities, the Timeframe for Resolution begins once the vulnerability is reported in AMS.

However, vulnerabilities discovered through the Marketplace Security Bug Bounty Program have a two-week triage period. This period exists for developers to review vulnerabilities discovered through their Bugcrowd programs. Developers are expected to review and respond to vulnerabilities within that two-week triage period. Vulnerabilities discovered through the Marketplace Security Bug Bounty Program that receive no response within the two-week period are automatically accepted, and the Timeframe for Resolution begins two weeks after discovery. This triaging rule applies to cloud, data center and server apps.

Extensions

Atlassian does not accept Remediation Due Date extension requests, unless:

the patch to a vulnerability results in a breaking change for the customers;
the vulnerability is caused by the Atlassian platform;
the patch to vulnerability is dependent on changes to Atlassian’s platform;
the patch is blocked by a third party
the risk associated to the vulnerability has changed.

To talk with someone from the Atlassian Ecosystem Security team regarding extensions, comment in the AMS Jira Issue. Atlassian does not guarantee extension requests, but takes each request relating to one of these situations into consideration.

Enforcement

Failure to meet vulnerability due dates reported in AMS may result in either temporary or permanent enforcement. Atlassian does not take enforcement lightly, and is committed to working with partners to determine a plan in addressing vulnerabilities by their due dates.

The following enforcement happens once the due date is breached. Vulnerabilities that pose the most risk to customers will be taken the most seriously. Therefore, there are differences in enforcement based on the severity of the vulnerability and the hosting type.

Severity	Cloud	Data Center & Server
Critical	Hide the app	Hide the app
High	If the app has no badges, then Atlassian will hide the app on the first day the due date is breached. If the app has at least one badge, then Atlassian will: remove badge(s) on the first day the due date is breached; hide the app if the due date is breached for more than 15 days	Hide the app
Medium	`Only applies when the enforcement threshold is met, which is 3 active medium due date breaches` If the app has no badges, then Atlassian will hide the app on the first day the due date is breached. If the app has at least one badge, then Atlassian will: remove badge(s) on the first day the due date is breached; hide the app if the due date is breached for more than 15 days	Hide the app
Low	`Only applies when the enforcement threshold is met, which is 4 active low due date breaches` If the app has no badges, then Atlassian will hide the app on the first day the due date is breached. If the app has at least one badge, then Atlassian will: remove badge(s) on the first day the due date is breached; hide the app if the due date is breached for more than 15 days	Hide the app

Enforcement Actions, Explained

Hiding an app will hide the app from the Atlassian Marketplace User Interface and the Atlassian Universal Plugin Manager. New customers will not be able to install the app.

Badge Removal removes the Cloud Security Participant Badge from the Atlassian Marketplace User Interface.

Apps who have the Cloud Fortified App Badge will also have this badge removed since the Cloud Security Participant Badge is a requirement for the Cloud Fortified App Badge.

Badge removal also includes removing the checkmark that identifies an app as a participant in the Marketplace Bug Bounty Program.

Critical and High Vulnerabilities

Atlassian will perform a Security Threat Assessment for critical and high vulnerabilities during the Timeframe for Resolution. The Security Threat Assessment is an assessment that evaluates the threat based on exploitability, timing and impact to Atlassian customers. Critical and high vulnerabilities in apps that fail this assessment are subject to additional and more severe enforcement actions, such as customer notification and, in the most extreme cases, pausing an app. Pausing an app will disable the app from functioning.

Vulnerabilities that fail the Security Threat Assessment have severe and urgent risks to customer data, or have been identified as acting maliciously. Atlassian will re-perform the Security Threat Assessment periodically to monitor the threat to customer data until the vulnerability is patched, and reserves the right to change the enforcement actions resulting from the assessment at any time.

Medium and Low Vulnerabilities

For medium and low vulnerabilities, there are enforcement thresholds.

Medium vulnerabilities have an enforcement threshold of 3 active due date breaches. Less than 3 active medium due date breaches do not prompt enforcement action.

Low vulnerabilities have an enforcement threshold of 4 active due date breaches. Less than 4 active low due date breaches do not prompt enforcement action.

There are no enforcement thresholds for critical and high vulnerabilities.

Communication Expectations

Atlassian requires developers to maintain communication with Atlassian. In AMS, Atlassian will contact the app’s security contacts regarding the outstanding vulnerability for up to 90 days. In the event that Atlassian does not hear from the partner within 90 days, nor does the partner make clear efforts to address and fix the vulnerability, Atlassian will pause the app from the Atlassian Marketplace, in addition to the enforcements listed in the above table.