Enforcement procedure: Security requirements

The Marketplace app security requirements are a combination of security best practices and application security defenses that prevent security vulnerabilities being introduced into applications. When an application does not fulfill one of these requirements, Atlassian treats it as a security vulnerability. This page explains how Atlassian enforces the Security Requirements for Marketplace cloud apps.

Step 1

For every security vulnerability reported Atlassian calculates a CVSS score using the CVSS specification. Based on the CVSS score, a severity rating is set for every vulnerability.

The severity rating based on CVSS score ranges are:

Severity	CVSS Score
Critical	CVSS v3 >= 9.0
High	CVSS v3 >= 7.0
Medium	CVSS v3 >= 4.0
Low	CVSS v3 < 4.0

Resolving disagreements on severity

If you disagree with the CVSS score, we will consider any information you provide. We understand that you have the best knowledge of your environments and the nature of your applications. However, the final determination of severity rating will be at the Atlassian security team's discretion.

Step 2

For every vulnerability identified in your app, Atlassian will raise a ticket in AMS and notify you about the security issue. The SLA timeframe starts once you have been notified.

All vulnerabilities must be fixed within the security SLAs defined in the Security Bug Fix policy.

Step 3

Atlassian makes a decision whether to de-list or disable your app in the Marketplace, based on the nature of exposure caused by the vulnerability. If the vulnerability results in potential exposure of customer data, we consider options for restricting the availability of the app on the Marketplace, including de-listing for new users or disabling for all users. We understand the implications of disabling an app and will not take this decision lightly.

Step 4

You patch the security issue and notify the Atlassian security team on the AMS ticket. The Atlassian security team validates and confirms that the issue is fixed.

Extensions to security SLA

If you cannot fix an issue within the SLA timeframe, you can request an extension to the SLA.

Extensions are granted by the Atlassian security team for these reasons:

An attempt to fix a vulnerability within the resolution timeframe has been made but the fix is not suitable (for example, the fix causes a significant performance problem).
An attempt to fix a vulnerability within the resolution timeframe has been made but the fix does not entirely address the problem.
Fixing the vulnerability requires a redesign effort that will take longer than the time allowed by the SLA timeframe.
Fixing the vulnerability requires mitigation which breaks backward compatibility.
Fixing the vulnerability requires updating and coordinating fixes between entities outside your control.

In order to consider an extension, we need the following information:

An explanation of why an extension is needed.
A redesign or mitigation proposal.
A commitment to the start date.
An estimate for completion. The Atlassian security team will review and discuss the information provided with you before providing an extension to the SLA, if appropriate.

To request an SLA extension, please transition the status of the corresponding AMS ticket to Extension Requested and provide the information needed for Atlassian to review the request. For more information, please review our SLA management strategy.

Lack of communication from you

If you do not acknowledge and respond to the security issue report, the Atlassian security team will attempt to establish contact with you for 90 days. After 90 days, Atlassian will de-list and disable your app in the Marketplace for all users.