Last updatedJan 8, 2021

Rate this page:

Additional information: Vulnerability tracking

This program has not yet been launched. As such, information below may be incomplete or subject to change.

Atlassian uses the Atlassian Marketplace Security project (AMS) to track vulnerabilities in Marketplace apps. While vulnerabilities can be reported through many sources, AMS is the single source of truth for security issues.

This page provides additional information about how the AMS project is structured.

Issue types

The AMS project has two issue types, each with its own workflow.

Issue TypePurpose
Security VulnerabilityRepresents vulnerabilities reported through bug bounty, pentesting, and manual assessment. This issue type has a more complex workflow designed for more in-depth manual reviews.
Ecoscanner VulnerabilityRepresents issues reported by scanners. This issue type has a more simplified workflow allowing for greater automation.

Workflow statuses

The Security Vulnerability workflow contains the following statuses: security vulnerability

StatusTransition triggerActions required
Needs PatchAtlassian Security team will transition the issue to this status when the issue is confirmed to be valid and CVSS scored.Remediate the security issue within the SLA specified in the ticket.
Needs Security ReviewTransition the ticket to this status when the issue requires triage or validation from the Ecosystem Security team.Waiting on Atlassian Security team to review the security issue. No action from partner needed.
Waiting for ReleaseTransition the ticket to this status when the fix has been implemented, but has not yet been released.Ensure that the release timeline meets the SLA.
Extension RequestedTransition the ticket to this status when you are not able to meet the remediation SLA. Provide a detailed remediation plan and a proposed new due date.Atlassian Security will review and either approve or deny the request. The ticket will be transitioned to Needs Patch with the new due date.
PatchedTransition the ticket to this status when the vulnerability has been remediated.The issue is resolved. No further action required.
DuplicateTransition the ticket to this status when you think the issue is a duplicate of another.Provide the reference to the original issue.
False PositiveTransition the ticket to this status when you think the issue is a false positive.Provide an explanation for why the issue is not a security vulnerability or is not exploitable.
Won't FixTransition the ticket to this status when you would like to accept the security risk and not remediate the issue.Provide reasons for choosing to not remediate the issue and potential mitigating controls.

The Ecoscanner Vulnerability workflow contains the following statuses:

ecoscanner vulnerability

The main distinction here is that most of these workflow steps are automated and will not require manual intervention. For example, patches are verified automatically by the scanner. If the scanner no longer detects the vulnerability, the issue will be automatically resolved.

Fields

There is a substantial number of fields for tracking information pertaining to a vulnerability. Partners should pay particular attention to the fields listed in the table below. The remaining fields which are not listed are for administrative use by Atlassian Security.

FieldPurpose
SummaryVulnerability summary.
DescriptionDetailed description of the vulnerability, usually including reproduction steps and impact.
AssigneeUser assigned to the issue is primarily responsible for driving the vulnerability remediation effort.
Partner ParticipantsAdditional users from the partner organization’s team who will need to have visibility into the issue.
Bugcrowd Submission URLIf the source of the report is Bugcrowd, this field will contain a link to the Bugcrowd submission.
CVSS V3 ScoreCVSS score of the vulnerability.
CVSS V3 URLCVSS score link. The URL will be used to justify how the severity level was determined.
Vulnerability Severity LevelRepresents the severity level of the vulnerability, usually based on the CVSS score range.
SourceThe original source of the vulnerability, including Bug Bounty, Atlassian, customer report, security review, and more. Note that scanner-found vulnerabilities have their own issue type.
Triage Due DateThe date by which the partner must review and either accept or reject the vulnerability.
Remediation Due DateThe date by which the partner must fix the vulnerability.
SLA ViolationThis field highlights if the ticket has violated either the Triage or Remediation SLA.

If you have any questions about how to interact with the AMS project, please reach out to the Ecosystem security team through our service desk.

Rate this page: