Last updatedOct 31, 2019

FAQ: Security requirements for cloud applications

The Security requirements and the supporting documentation is planned to take into effect as of January 1, 2020

What are the security requirements for cloud apps?

The security requirements for cloud apps are a combination of security best practices and application security defenses that prevent security vulnerabilities from being introduced in applications.

What is the purpose of the security requirements?

Our goal is to create a high level of trust and security in the Marketplace for our users. We use the requirements as the first step to improve security in Marketplace apps. It isn't our intention to place onerous security burdens on app vendors or create any surprises. Instead, we want to partner with vendors and provide the resources necessary to achieve these mutually beneficial security goals.

How does this impact the listing process?

The requirements do not impact the listing process. Apps will not be tested prior to listing but are subject to continuous review by the Atlassian security team. Any security gaps identified will be addressed by following the Enforcement Procedure: Security Requirements.

How were these security requirements chosen?

The list of requirements reflects common security issues affecting Marketplace cloud apps. These are verifiable defenses, which we can validate manually or automatically.

Are the requirements likely to change?

As the product evolves, we may change the requirements to better reflect the security needs of Marketplace customers. Requirements may be added, updated, or removed. We will give a minimum of 30 days notice for you to make the necessary updates to meet the requirements.

What is the difference between requirements and guidelines?

Security requirements are mandatory defenses that apps must implement. The Security Guidelines are recommendations to improve the security of your app: they are not mandatory.

Are the requirements mandatory for all apps?

Yes. All cloud apps must meet the security requirements. This includes free apps.

How are the requirements enforced?

When an application doesn�t fulfill one of the requirements, Atlassian will treat it as a security vulnerability. We will raise an app security incident ticket (DEVHELP) and notify you about the security issue. Issues will be scored using the CVSS standard and assigned the appropriate SLA. See the Enforcement Procedure: Security Requirements for more details.

Are apps permanently delisted for not meeting the security requirements?

No. Once the security requirements are met, the app can be relisted on the Marketplace.

How do I make sure my app meets the requirements?

You can use open-source tools to check if your app meets the requirements. Please refer to Additional Information: Security requirements for advice on how to check whether your app is compliant.

My app does not meet a requirement, but I have a workaround. Will I be penalized?

If the workaround mitigates the security vulnerability, then you will not be penalized. The Atlassian security team will evaluate this on a case-by-case basis. Refer to Enforcement Procedure: Security Requirements to learn more about the process.

How can I provide feedback about the requirements?

If you have any questions or feedback about the security requirements, please use the "Give docs feedback" provided above.