Enforcement procedure: Security requirements

The Marketplace app security requirements are a combination of security best practices and application security defenses that prevent security vulnerabilities being introduced into applications. When an application does not fulfill one of these requirements, Atlassian treats it as a security vulnerability. This page explains how Atlassian enforces the Security Requirements for Marketplace cloud apps.

Step 1

For every security vulnerability reported Atlassian calculates a CVSS score using the CVSS specification. Based on the CVSS score, a severity rating is set for every vulnerability.

The severity rating based on CVSS score ranges are:

Severity	CVSS Score
Critical	CVSS v3 >= 9.0
High	CVSS v3 >= 7.0
Medium	CVSS v3 >= 4.0
Low	CVSS v3 < 4.0

Resolving disagreements on severity

If you disagree with the CVSS score, we will consider any information you provide. We understand that you have the best knowledge of your environments and the nature of your applications. However, the final determination of severity rating will be at the Atlassian security team�s discretion.

Step 2

Atlassian raises an app security incident ticket DEVHELP and notifies you about the security issue. The SLA timeframe starts once you have been notified.

All vulnerabilities must be fixed within these timeframes:

Severity	CVSS Score	Timeframe for resolution
Critical	CVSS v3 >= 9.0	Must be fixed within 4 weeks of being reported and CVSS scored.
High	CVSS v3 >= 7.0	Must be fixed within 6 weeks of being reported and CVSS scored.
Medium	CVSS v3 >= 4.0	Must be fixed within 8 weeks of being reported and CVSS scored.
Low	CVSS v3 < 4.0	Must be fixed within 25 weeks of being reported and CVSS scored

Step 3

Atlassian makes a decision whether to de-list or disable your app in the Marketplace, based on the nature of exposure caused by the vulnerability. If the vulnerability results in potential exposure of customer data, we consider options for restricting the availability of the app on the Marketplace, including de-listing for new users or disabling for all users. We understand the implications of disabling an app and will not take this decision lightly.

Step 4

You patch the security issue and notify the Atlassian security team on the DEVHELP ticket. The Atlassian security team validates and confirms that the issue is fixed.

Extensions to security SLA

If you cannot fix an issue within the SLA timeframe, you can request an extension to the SLA.

Extensions are granted by the Atlassian security team for these reasons:

An attempt to fix a vulnerability within the resolution timeframe has been made but the fix is not suitable (for example, the fix causes a significant performance problem).
An attempt to fix a vulnerability within the resolution timeframe has been made but the fix does not entirely address the problem.
Fixing the vulnerability requires a redesign effort that will take longer than the time allowed by the SLA timeframe.
Fixing the vulnerability requires mitigation which breaks backward compatibility.
Fixing the vulnerability requires updating and coordinating fixes between entities outside your control.

In order to consider an extension, we need the following information:

An explanation of why an extension is needed.
A redesign or mitigation proposal.
A commitment to the start date.
An estimate for completion. The Atlassian security team will review and discuss the information provided with you before providing an extension to the SLA, if appropriate.

To request an SLA Extension to fix a Bug Bounty related submission to maintain your app's Trust Signal Badge, create an ESSD ticket with this form.

Lack of communication from you

If you do not acknowledge and respond to the security issue report, the Atlassian security team will attempt to establish contact with you for 90 days. After 90 days, Atlassian will de-list and disable your app in the Marketplace for all users.

Atlassian Marketplace Developer