Last updated Apr 15, 2021

Rate this page:

SLA management

To ensure that customers systems cannot be compromised by exploiting vulnerabilities in Marketplace apps, Marketplace partners are expected to fix vulnerabilities within the SLAs defined by the bug fix policy. To help partners stay on top of their SLAs, Atlassian will send notifications for vulnerabilities tracked in the AMS project at several points in the ticket lifecycle:

  • At ticket creation
  • When the vulnerability is nearing SLA violation
  • When the vulnerability has breached the SLA

Notification will appear as comments on the ticket as well as email notifications to the security contact as specified by the partner. Make sure the security contact is active and up to date as timely communication is important. If we don’t hear from you after 90 days since ticket creation, Atlassian will de-list and disable your app in the Marketplace for all users.

If for any reason a vulnerability cannot be fixed within SLA, partners can request an SLA extension. Whenever the owner of a vulnerability wishes to receive an SLA extension, they’ll transition the AMS ticket to Extension Requested and provide a reason for extension, the plan for completing / deploying the fix, and an ETA on resolution in the comments of the ticket.

Notification and attribution

When an issue is created in AMS, our attribution service will query the partner’s security contact and populate the Assignee and the Partner Participants fields. Once a user is added in this way, they will have access to the issue allowing them to track the vulnerability and any actions associated with it.

When a user is assigned to an issue they will receive an email notification. We ask that partners actively acknowledge the receipt of the vulnerability by following up on the ticket. The Ecosystem Security team will then work with the app owner to ensure that the vulnerability is remediated within SLA.

Who will have access to the AMS tickets?

Users by default will not have access to AMS tickets unless they are

  • Ticket Assignee
  • Users in Partner Participants field
  • Atlassian Team

This ensures that partners only have access to issues pertaining to only their own apps. Note that once a user is removed from an issue, they will no longer have access. Therefore, if you need to change the Assignee field to another user in your organization, make sure that your username is included in Partner Participants in order to not lose visibility to the issue.

Our attribution service relies on the security contact as specified by the partner in the Contacts section of their vendor account. Therefore, it is important that the information provided in this section is accurate and up to date.

To add new users to all your tickets follow Step 3 in the play,It could take upto 24Hours to get access on all tickets.

Visit this page to learn more about how to configure Security contacts.

Rate this page: