The Marketplace app security requirements are a combination of security best practices and application security defenses that prevent security vulnerabilities being introduced into applications. When an application does not fulfill one of these requirements, Atlassian treats it as a security vulnerability. This page explains how Atlassian enforces the Security Requirements for Marketplace cloud apps.
For every security vulnerability reported Atlassian calculates a CVSS score using the CVSS specification. Based on the CVSS score, a severity rating is set for every vulnerability.
The severity rating based on CVSS score ranges are:
|Critical||CVSS v3 >= 9.0|
|High||CVSS v3 >= 7.0|
|Medium||CVSS v3 >= 4.0|
|Low||CVSS v3 < 4.0|
Atlassian raises an app security incident ticket DEVHELP and notifies you about the security issue. The SLA timeframe starts once you have been notified.
All vulnerabilities must be fixed within these timeframes:
|Severity||CVSS Score||Timeframe for resolution|
|Critical||CVSS v3 >= 9.0||Must be fixed within 4 weeks of being reported and CVSS scored.|
|High||CVSS v3 >= 7.0||Must be fixed within 6 weeks of being reported and CVSS scored.|
|Medium||CVSS v3 >= 4.0||Must be fixed within 8 weeks of being reported and CVSS scored.|
|Low||CVSS v3 < 4.0||Must be fixed within 25 weeks of being reported and CVSS scored|
Atlassian makes a decision whether to de-list or disable your app in the Marketplace, based on the nature of exposure caused by the vulnerability. If the vulnerability results in potential exposure of customer data, we consider options for restricting the availability of the app on the Marketplace, including de-listing for new users or disabling for all users. We understand the implications of disabling an app and will not take this decision lightly.
You patch the security issue and notify the Atlassian security team on the DEVHELP ticket. The Atlassian security team validates and confirms that the issue is fixed.
Extensions are granted by the Atlassian security team for these reasons:
In order to consider an extension, we need the following information: