Rate this page:
Security is built into the fabric of our products and marketplace, and is a huge priority for Atlassian so that customers can feel assured that their data is safeguarded. The Security Bug Fix Policy outlines Atlassian’s security expectations of developers who host apps on the Atlassian Marketplace, specifically regarding security vulnerabilities. In order to operate without interruption in the Atlassian Marketplace, developers must follow this Security Bug Fix Policy to do their part in protecting our customers' data.
Most vulnerabilities reported in the Atlassian Marketplace Security (AMS) Jira Project have a “Remediation Due Date.” Atlassian requires all apps to meet vulnerability due dates reported in AMS. The Remediation Due Date is determined by the severity of the vulnerability, and the hosting type.
The following table outlines a vulnerability’s timeframe for resolution by severity type for cloud apps.
Severity | CVSS Score | Timeframe for resolution |
---|---|---|
Critical | CVSS v3 >= 9.0 | Must be fixed within 4 weeks of being reported or triaged. |
High | CVSS v3 >= 7.0 | Must be fixed within 6 weeks of being reported or triaged. |
Medium | CVSS v3 >= 4.0 | Must be fixed within 8 weeks of being reported or triaged. |
Low | CVSS v3 < 4.0 | Must be fixed within 25 weeks of being reported or triaged. |
The following table outlines a vulnerability’s timeframe for resolution by severity type for data center and server apps.
Severity | CVSS Score | Timeframe for resolution |
---|---|---|
Critical | CVSS v3 >= 9.0 | Must be fixed within 90 days of being reported or triaged. |
High | CVSS v3 >= 7.0 | Must be fixed within 90 days of being reported or triaged. |
Medium | CVSS v3 >= 4.0 | Must be fixed within 90 days of being reported or triaged. |
Low | CVSS v3 < 4.0 | Must be fixed within 180 days of being reported or triaged. |
For most vulnerabilities, the Timeframe for Resolution begins once the vulnerability is reported in AMS.
However, vulnerabilities discovered through the Marketplace Security Bug Bounty Program have a two-week triage period. This period exists for developers to review vulnerabilities discovered through their Bugcrowd programs. Developers are expected to review and respond to vulnerabilities within that two-week triage period. Vulnerabilities discovered through the Marketplace Security Bug Bounty Program that receive no response within the two-week period are automatically accepted, and the Timeframe for Resolution begins two weeks after discovery. This triaging rule applies to cloud, data center and server apps.
Atlassian does not accept Remediation Due Date extension requests, unless:
To talk with someone from the Atlassian Ecosystem Security team regarding extensions, comment in the AMS Jira Issue. Atlassian does not guarantee extension requests, but takes each request relating to one of these situations into consideration.
Failure to meet vulnerability due dates reported in AMS may result in either temporary or permanent enforcement. Atlassian does not take enforcement lightly, and is committed to working with partners to determine a plan in addressing vulnerabilities by their due dates.
The following enforcement happens once the due date is breached. Vulnerabilities that pose the most risk to customers will be taken the most seriously. Therefore, there are differences in enforcement based on the severity of the vulnerability and the hosting type.
Severity | Cloud | Data Center & Server |
---|---|---|
Critical | Hide the app | Hide the app |
High |
| Hide the app |
Medium | Only applies when the enforcement threshold is met, which is 3 active medium due date breaches
| Hide the app |
Low | Only applies when the enforcement threshold is met, which is 4 active low due date breaches
| Hide the app |
Hiding an app will hide the app from the Atlassian Marketplace User Interface and the Atlassian Universal Plugin Manager. New customers will not be able to install the app.
Badge Removal removes the Cloud Security Participant Badge from the Atlassian Marketplace User Interface.
Apps who have the Cloud Fortified App Badge will also have this badge removed since the Cloud Security Participant Badge is a requirement for the Cloud Fortified App Badge.
Badge removal also includes removing the checkmark that identifies an app as a participant in the Marketplace Bug Bounty Program.
Atlassian will perform a Security Threat Assessment for critical and high vulnerabilities during the Timeframe for Resolution. The Security Threat Assessment is an assessment that evaluates the threat based on exploitability, timing and impact to Atlassian customers. Critical and high vulnerabilities in apps that fail this assessment are subject to additional and more severe enforcement actions, such as customer notification and, in the most extreme cases, pausing an app. Pausing an app will disable the app from functioning.
Vulnerabilities that fail the Security Threat Assessment have severe and urgent risks to customer data, or have been identified as acting maliciously. Atlassian will re-perform the Security Threat Assessment periodically to monitor the threat to customer data until the vulnerability is patched, and reserves the right to change the enforcement actions resulting from the assessment at any time.
For medium and low vulnerabilities, there are enforcement thresholds.
Medium vulnerabilities have an enforcement threshold of 3 active due date breaches. Less than 3 active medium due date breaches do not prompt enforcement action.
Low vulnerabilities have an enforcement threshold of 4 active due date breaches. Less than 4 active low due date breaches do not prompt enforcement action.
There are no enforcement thresholds for critical and high vulnerabilities.
Atlassian requires developers to maintain communication with Atlassian. In AMS, Atlassian will contact the app’s security contacts regarding the outstanding vulnerability for up to 90 days. In the event that Atlassian does not hear from the partner within 90 days, nor does the partner make clear efforts to address and fix the vulnerability, Atlassian will pause the app from the Atlassian Marketplace, in addition to the enforcements listed in the above table.
Rate this page: