Rate this page:
To ensure that customers systems cannot be compromised by exploiting vulnerabilities in Marketplace apps, Marketplace partners are expected to fix vulnerabilities within the SLAs defined by the bug fix policy. To help partners stay on top of their SLAs, Atlassian will send notifications for vulnerabilities tracked in the AMS project at several points in the ticket lifecycle:
Notification will appear as comments on the ticket as well as email notifications to the security contact as specified by the partner. Make sure the security contact is active and up to date as timely communication is important. If we don’t hear from you after 90 days since ticket creation, Atlassian will de-list and disable your app in the Marketplace for all users.
If for any reason a vulnerability cannot be fixed within SLA, partners can request an SLA extension. Whenever the owner of a vulnerability wishes to receive an SLA extension, they’ll transition the AMS ticket to and provide a reason for extension, the plan for completing / deploying the fix, and an ETA on resolution in the comments of the ticket.
When an issue is created in AMS, our attribution service will query the partner’s security contact and populate the Assignee and the Partner Participants fields. Once a user is added in this way, they will have access to the issue allowing them to track the vulnerability and any actions associated with it.
When a user is assigned to an issue they will receive an email notification. We ask that partners actively acknowledge the receipt of the vulnerability by following up on the ticket. The Ecosystem Security team will then work with the app owner to ensure that the vulnerability is remediated within SLA.
Who will have access to the AMS tickets?
Users by default will not have access to AMS tickets unless they are
This ensures that partners only have access to issues pertaining to only their own apps. Note that once a user is removed from an issue, they will no longer have access. Therefore, if you need to change the Assignee field to another user in your organization, make sure that your username is included in Partner Participants in order to not lose visibility to the issue.
Rate this page: