Last updated Sep 1, 2021

Rate this page:

Security Bug Fix Policy for marketplace apps

Atlassian makes it a priority to ensure that customers' systems and data cannot be compromised by exploiting vulnerabilities in Atlassian products and apps in the Atlassian marketplace.

Security bug fix SLAs

The following describes how and when we expect our Atlassian Marketplace partners to resolve security bugs in their apps listed in the Marketplace. We have defined the following timeframes for fixing security issues in Atlassian marketplace apps (including unsupported apps).

Cloud apps

While we expect all Marketplace partners to adhere to remediation SLAs in order to reduce the risk of vulnerabilities being exploited, Atlassian will not begin to enforce the SLAs at least until October 2021. We will share further communications as we finalize dates for enforcement of security SLAs.

These timeframes apply to vulnerabilities identified in all Atlassian marketplace cloud apps.

SeverityCVSS ScoreTimeframe for resolution
CriticalCVSS v3 >= 9.0Must be fixed within 4 weeks of being reported and CVSS scored.
HighCVSS v3 >= 7.0Must be fixed within 6 weeks of being reported and CVSS scored.
MediumCVSS v3 >= 4.0Must be fixed within 8 weeks of being reported and CVSS scored.
LowCVSS v3 < 4.0Must be fixed within 25 weeks of being reported and CVSS scored

Extensions to the above mentioned timeframes are handled according to the enforcement procedure defined.

Server and DC apps

While we expect all Marketplace partners to adhere to remediation SLAs in order to reduce the risk of vulnerabilities being exploited, Atlassian will not begin to enforce the SLAs at least until October 2021. We will share further communications as we finalize dates for enforcement of security SLAs.

These timeframes apply to vulnerabilities identified in all server and DC apps in the Atlassian marketplace.

SeverityCVSS ScoreTimeframe for resolution
CriticalCVSS v3 >= 9.0Must be fixed within 90 days of being reported and CVSS scored.
HighCVSS v3 >= 7.0Must be fixed within 90 days of being reported and CVSS scored.
MediumCVSS v3 >= 4.0Must be fixed within 90 days of being reported and CVSS scored.
LowCVSS v3 < 4.0Must be fixed within 180 days of being reported and CVSS scored

Extensions to the above mentioned timeframes are handled according to the enforcement procedure defined.

Rate this page: