Rate this page:
To ensure that customers' systems cannot be compromised by exploiting vulnerabilities in Marketplace apps, Marketplace partners are expected to fix vulnerabilities within the SLAs defined by the bug fix policy. To help partners stay on top of their SLAs, Atlassian will send notifications for vulnerabilities tracked in the AMS project at several points in the ticket lifecycle:
Notification will appear as comments on the ticket as well as email notifications to the security contact as specified by the partner. Make sure the security contact is active and up to date as timely communication is important. If we don’t hear from you after 90 days since ticket creation, Atlassian will de-list and disable your app in the Marketplace for all users.
If for any reason a vulnerability cannot be fixed within SLA, partners can request an SLA extension. Whenever the owner of a vulnerability wishes to receive an SLA extension, they’ll transition the AMS ticket to . When they transition the issue they’ll be prompted to fill out their extension reason, the plan for completing / deploying the fix, and an ETA on resolution.
When an issue is created in AMS, our attribution service will query the partner’s security contact and populate the Assignee and the Partner Participants fields. Once a user is added in this way, they will have access to the issue allowing them to track the vulnerability and any actions associated with it.
A user added to an issue will receive an email notification. We ask that partners actively acknowledge the receipt of the vulnerability by following up on the ticket. The Ecosystem Security team will then work with the app owner to ensure that the vulnerability is remediated within SLA.
With the exception of the Atlassian team, users do not have access to issues in AMS unless they are assigned to a ticket. This ensures that partners only have access to issues pertaining to their own apps. The attribution service ensures that users are assigned correctly, however, user can still be manually added or removed. Note that once a user is removed from an issue, they will no longer have access. Therefore, if you need to change the Assignee field to another user in your organization, make sure that your username is included in Partner Participants in order to not lose visibility to the issue.
Rate this page: