Rate this page:
The Marketplace app security requirements are a combination of security best practices and application security defenses that prevent security vulnerabilities being introduced into applications. When an application does not fulfill one of these requirements, Atlassian treats it as a security vulnerability. This page explains how Atlassian enforces the Security Requirements for Marketplace cloud apps.
For every security vulnerability reported Atlassian calculates a CVSS score using the CVSS specification. Based on the CVSS score, a severity rating is set for every vulnerability.
The severity rating based on CVSS score ranges are:
|Critical||CVSS v3 >= 9.0|
|High||CVSS v3 >= 7.0|
|Medium||CVSS v3 >= 4.0|
|Low||CVSS v3 < 4.0|
For every vulnerability identified in your app, Atlassian will raise a ticket in AMS and notify you about the security issue. The SLA timeframe starts once you have been notified.
All vulnerabilities must be fixed within the security SLAs defined in the Security Bug Fix policy.
Atlassian makes a decision whether to de-list or disable your app in the Marketplace, based on the nature of exposure caused by the vulnerability. If the vulnerability results in potential exposure of customer data, we consider options for restricting the availability of the app on the Marketplace, including de-listing for new users or disabling for all users. We understand the implications of disabling an app and will not take this decision lightly.
You patch the security issue and notify the Atlassian security team on the AMS ticket. The Atlassian security team validates and confirms that the issue is fixed.
Extensions are granted by the Atlassian security team for these reasons:
In order to consider an extension, we need the following information:
To request an SLA extension, please transition the status of the corresponding AMS ticket to and provide the information needed for Atlassian to review the request. For more information, please review our SLA management strategy.
Rate this page: