Atlassian Marketplace Developer

Atlassian Marketplace Developer

Last updatedJan 8, 2021

Rate this page:

SLA management

This program has not yet been launched. As such, information below may be incomplete or subject to change.

To ensure that customers' systems cannot be compromised by exploiting vulnerabilities in Marketplace apps, Marketplace partners are expected to fix vulnerabilities within the SLAs defined by the bug fix policy. To help partners stay on top of their SLAs, Atlassian will send notifications for vulnerabilities tracked in the AMS project at several points in the ticket lifecycle:

  • At ticket creation
  • When the vulnerability is nearing SLA violation
  • When the vulnerability has breached the SLA

Notification will appear as comments on the ticket as well as email notifications to the security contact as specified by the partner. Make sure the security contact is active and up to date as timely communication is important. If we don’t hear from you after 90 days since ticket creation, Atlassian will de-list and disable your app in the Marketplace for all users.

If for any reason a vulnerability cannot be fixed within SLA, partners can request an SLA extension. Whenever the owner of a vulnerability wishes to receive an SLA extension, they’ll transition the AMS ticket to Extension Requested. When they transition the issue they’ll be prompted to fill out their extension reason, the plan for completing / deploying the fix, and an ETA on resolution.

Notification and attribution

When an issue is created in AMS, our attribution service will query the partner’s security contact and populate the Assignee and the Partner Participants fields. Once a user is added in this way, they will have access to the issue allowing them to track the vulnerability and any actions associated with it.

A user added to an issue will receive an email notification. We ask that partners actively acknowledge the receipt of the vulnerability by following up on the ticket. The Ecosystem Security team will then work with the app owner to ensure that the vulnerability is remediated within SLA.

With the exception of the Atlassian team, users do not have access to issues in AMS unless they are assigned to a ticket. This ensures that partners only have access to issues pertaining to their own apps. The attribution service ensures that users are assigned correctly, however, user can still be manually added or removed. Note that once a user is removed from an issue, they will no longer have access. Therefore, if you need to change the Assignee field to another user in your organization, make sure that your username is included in Partner Participants in order to not lose visibility to the issue.

Our attribution service relies on the security contact as specified by the partner in the Contacts section of their vendor account. Therefore, it is important that the information provided in this section is accurate and up to date.

Visit this page to learn more about how to configure Security contacts.

Rate this page: