Last updated Jul 25, 2022

Vulnerability management for Marketplace apps

At Atlassian, we have an extensive Vulnerability Management program which aims to reduce the frequency and severity of vulnerabilities in Atlassian products. We are taking a similar approach for managing vulnerabilities in Marketplace apps. Because Marketplace apps represent a large attack surface with potentially significant customer impact, we believe that a methodical process for identifying, tracking and resolving vulnerabilities in Marketplace apps is necessary.

In this section, we provide an overview of how we go about identifying and managing vulnerabilities in Marketplace apps and what is expected of app developers as part of this program.

Vulnerability identification

We combine several approaches to identifying vulnerabilities in Marketplace apps. These include:

We are continuously evaluating new ways to improve the maturity of our discovery methods. Existing programs may evolve overtime and new programs can be added.

Vulnerability tracking

To maximize the efficiency of vulnerability management across Marketplace apps, we have created a single integrated solution for tracking vulnerabilities regardless of source. We are leveraging https://ecosystem.atlassian.net, which is widely used for communications between partners and Atlassian, to create a single source of truth for tracking and resolving security vulnerabilities in Marketplace apps.

When a vulnerability in a Marketplace app is discovered through any of the sources listed above, it will be raised in a single Jira project called Atlassian Marketplace Security. This means that we have a single point from which to track vulnerabilities identified in Marketplace apps to ensure that nothing is overlooked. This will also help Atlassian spot common security gaps across all Marketplace apps to then prioritize more comprehensive solutions at the platform level.

vulnerability management

To get access to the Atlassian Marketplace Security Jira , Refer to Step 3 in this playbook

To learn more about how SLA management and what is expected from partners, please review the SLA management document. For more information about how the Atlassian Marketplace Security project is structured, see Additional information: Vulnerability tracking.

Rate this page: