Last updatedOct 31, 2019

Enforcement procedure: Security requirements

The Marketplace app security requirements are a combination of security best practices and application security defenses that prevent security vulnerabilities being introduced into applications. When an application does not fulfill one of these requirements, Atlassian treats it as a security vulnerability. This page explains how Atlassian enforces the Security Requirements for Marketplace cloud apps.

The Security requirements and the supporting documentation is planned to take into effect as of January 1, 2020

Step 1

For every security vulnerability reported Atlassian calculates a CVSS score using the CVSS specification. Based on the CVSS score, a severity rating is set for every vulnerability.

The severity rating based on CVSS score ranges are:

SeverityCVSS Score
CriticalCVSS v3 >= 9.0
HighCVSS v3 >= 7.0
MediumCVSS v3 >= 4.0
LowCVSS v3 < 4.0

Resolving disagreements on severity

If you disagree with the CVSS score, we will consider any information you provide. We understand that you have the best knowledge of your environments and the nature of your applications. However, the final determination of severity rating will be at the Atlassian security team�s discretion.

Step 2

Atlassian raises an app security incident ticket DEVHELP and notifies you about the security issue. The SLA timeframe starts once you have been notified.

All vulnerabilities must be fixed within these timeframes:

SeverityCVSS ScoreTimeframe for resolution
CriticalCVSS v3 >= 9.0Must be fixed within 4 weeks of being reported and CVSS scored.
HighCVSS v3 >= 7.0Must be fixed within 6 weeks of being reported and CVSS scored.
MediumCVSS v3 >= 4.0Must be fixed within 8 weeks of being reported and CVSS scored.
LowCVSS v3 < 4.0Must be fixed within 12 weeks of being reported and CVSS scored

Step 3

Atlassian makes a decision whether to de-list or disable your app in the Marketplace, based on the nature of exposure caused by the vulnerability. If the vulnerability results in potential exposure of customer data, we consider options for restricting the availability of the app on the Marketplace, including de-listing for new users or disabling for all users. We understand the implications of disabling an app and will not take this decision lightly.

Step 4

You patch the security issue and notify the Atlassian security team on the DEVHELP ticket. The Atlassian security team validates and confirms that the issue is fixed.

Extensions to security SLA

If you cannot fix an issue within the SLA timeframe, you can request an extension to the SLA.

Extensions are granted by the Atlassian security team for these reasons:

  • An attempt to fix a vulnerability within the resolution timeframe has been made but the fix is not suitable (for example, the fix causes a significant performance problem).
  • An attempt to fix a vulnerability within the resolution timeframe has been made but the fix does not entirely address the problem.
  • Fixing the vulnerability requires a redesign effort that will take longer than the time allowed by the SLA timeframe.
  • Fixing the vulnerability requires mitigation which breaks backward compatibility.
  • Fixing the vulnerability requires updating and coordinating fixes between entities outside your control.

In order to consider an extension, we need the following information:

  • An explanation of why an extension is needed.
  • A redesign or mitigation proposal.
  • A commitment to the start date.
  • An estimate for completion. The Atlassian security team will review and discuss the information provided with you before providing an extension to the SLA, if appropriate.

Lack of communication from you

If you do not acknowledge and respond to the security issue report, the Atlassian security team will attempt to establish contact with you for 90 days. After 90 days, Atlassian will de-list and disable your app in the Marketplace for all users.