The security requirements for cloud apps are a combination of security best practices and application security defenses that prevent security vulnerabilities from being introduced in applications.
Our goal is to create a high level of trust and security in the Marketplace for our users. We use the requirements as the first step to improve security in Marketplace apps. It isn't our intention to place onerous security burdens on app vendors or create any surprises. Instead, we want to partner with vendors and provide the resources necessary to achieve these mutually beneficial security goals.
The requirements do not impact the listing process. Apps will not be tested prior to listing but are subject to continuous review by the Atlassian security team. Any security gaps identified will be addressed by following the Enforcement Procedure: Security Requirements.
The list of requirements reflects common security issues affecting Marketplace cloud apps. These are verifiable defenses, which we can validate manually or automatically.
As the product evolves, we may change the requirements to better reflect the security needs of Marketplace customers. Requirements may be added, updated, or removed. We will give a minimum of 30 days notice for you to make the necessary updates to meet the requirements.
Security requirements are mandatory defenses that apps must implement. The Security Guidelines are recommendations to improve the security of your app: they are not mandatory.
Yes. All cloud apps must meet the security requirements. This includes free apps.
When an application doesn�t fulfill one of the requirements, Atlassian will treat it as a security vulnerability. We will raise an app security incident ticket (DEVHELP) and notify you about the security issue. Issues will be scored using the CVSS standard and assigned the appropriate SLA. See the Enforcement Procedure: Security Requirements for more details.
No. Once the security requirements are met, the app can be relisted on the Marketplace.
You can use open-source tools to check if your app meets the requirements. Please refer to Additional Information: Security requirements for advice on how to check whether your app is compliant.
If the workaround mitigates the security vulnerability, then you will not be penalized. The Atlassian security team will evaluate this on a case-by-case basis. Refer to Enforcement Procedure: Security Requirements to learn more about the process.
If you have any questions or feedback about the security requirements, please use the "Give docs feedback" provided above.