Rate this page:
The security requirements for cloud apps are a combination of security best practices and application security defenses that prevent security vulnerabilities from being introduced in applications.
Our goal is to create a high level of trust and security in the Marketplace for our users. We use the requirements as the first step to improve security in Marketplace apps. It isn't our intention to place onerous security burdens on Marketplace Partners or create any surprises. Instead, we want to work with Marketplace Partners and provide the resources necessary to achieve these mutually beneficial security goals.
The requirements do not impact the listing process. Apps will not be tested prior to listing but are subject to continuous review by the Atlassian security team. Any security gaps identified will be addressed by following the security bug fix policy.
The list of requirements reflects common security issues affecting Marketplace cloud apps. These are verifiable defenses, which we can validate manually or automatically.
As the product evolves, we may change the requirements to better reflect the security needs of Marketplace customers. Requirements may be added, updated, or removed. We will give a minimum of 30 days notice for you to make the necessary updates to meet the requirements.
Security requirements are mandatory defenses that apps must implement. The Security Guidelines are recommendations to improve the security of your app: they are not mandatory.
Yes. All cloud apps must meet the security requirements. This includes free apps.
When an application doesn't fulfill one of the requirements, Atlassian will treat it as a security vulnerability. We will raise a ticket in Atlassian Marketplace Security project and notify you about the security issue. Issues will be scored using the CVSS standard and assigned the appropriate SLA. See the security bug fix policy for more details.
No. Once the security requirements are met, the app can be relisted on the Marketplace.
You can use open-source tools to check if your app meets the requirements. Please refer to Additional Information: Security requirements for advice on how to check whether your app is compliant.
If the workaround mitigates the security vulnerability, then you will not be penalized. The Atlassian security team will evaluate this on a case-by-case basis. Refer to security bug fix policy to learn more about the process.
If you have any questions or feedback about the security requirements, please use the "Give docs feedback" provided above.
Rate this page: