Last updated Oct 20, 2023

FAQ: Vulnerability management for marketplace apps

What is an AMS Ticket?

At Atlassian, we diligently monitor and manage security vulnerabilities identified in third-party apps through AMS:Atlassian Marketplace Security. AMS is a single Jira project exclusively owned and operated by Atlassian. Within AMS, we create and manage tickets to promptly inform our partners about vulnerabilities and to track the progress of remediation. Each AMS ticket contains comprehensive details about the vulnerability and provides steps to effectively mitigate the threat. If you receive an AMS ticket, we kindly request that you thoroughly review its contents ,due dates, and take the necessary actions to address the vulnerability promptly. Your swift response and cooperation are greatly appreciated.

Who has access to AMS Ticket?

Outside of Atlassian, only the individuals who are added to the ticket through the 'assignee' field and the 'partner participants' field will have access to the ticket. These individuals are identified based on the information provided in the partner profile.

How do i add/remove individuals from AMS Ticket?

Assigning the ticket to another team member will automatically grant them access. If you need to add or remove an individual from all your previous, current, and future AMS tickets, please refer to the instructions provided in the developer documentation at Access to AMS. Please note that access to the tickets is managed through automation, and at present, manual updates to the partner participant fields are not supported.

We have some team members who are already marked as a Security contact but still cannot see the issue?

Please allow 24 hours for our automation to process the changes. Ensure that you've completed all three of the steps mentioned here Access to AMS. If, even after 24 hours have passed and all three of the steps mentioned above have been completed, you still don't see your teammates in the 'partner participants' field, please leave a comment on the ticket and change the ticket status to 'Atlassian Input Requested' or 'In Review'.

We need an extension on the due dates?

Atlassian does not typically accept extension requests unless there are exceptional circumstances Please review our security bugfix policy to understand the criteria for extensions.

We have fixed this vulnerability, not sure why the scanner is not resolving the ticket?

Our automated scanner EcoScanner re-validates the vulnerability once everyday. The ticket will be automatically closed within 24 hours if the vulnerability has truly been remediated by the patch. If the AMS ticket is related to a Bug Bounty, please update the status on the submission, and the automation will sync the status, resolving the AMS ticket. However, if you notice that it's not resolving after applying the patch, please leave a comment on the ticket with details on the fix and change the ticket status to 'Atlassian Input Requested' or 'In Review'

This AMS ticket appears to be a false positive, could you please close/mark it as Resolved??

If you believe the AMS ticket is a false positive, please comment on the ticket providing context and details why you believe the vulnerability is not valid. Then, transition the ticket to 'Atlassian Input Requested' or 'In Review'.

We're retiring our application from the Atlassian Marketplace, how should we proceed??

If you would like to delist/retire your marketplace app, please create a request here. After you have created the request, please comment with a link to the ticket. The scanner should be closing the AMS ticket in up to 7 days after the archival. Furthermore, if the scanner has opened a ticket after the APP has been retired/archived, or it’s not closing the ticket as previously mentioned, please create a request here.

We fixed the vulnerability, how long will it take to unhide the app??

Apps will be hidden only if the SLA's are breached.You can expect the app to be unhidden within 24 hours.If you need immediate assistance please transition the ticket to 'Atlassian Input Requested' or 'In Review'.

Can you please confirm what is the two-week triage period?

Two week triage period applies only to Bug Bounty AMS tickets.When you recive a bugbounty submission please review it and triage it (accept or reject) within 2 weeks on your bugcrowd portal. The AMS ticket will automatically move to 'Needs Patch' state, and our automation automatically calculates the Remediation due date and sets the field.

Rate this page: