Security Bug Fix Policy
We follow Atlassian’s lead, as described in the Security Bug Fix Policy, on how we handle vulnerabilities discovered in our apps.
When we discover or otherwise get notice of a security vulnerability we will set up an incident response team which will assess the vulnerability and rate it according to CVSS v3. You can find a description of the security levels including examples here.
For all severity levels we will create an issue in our internal Jira disclosing the existence of the vulnerability. We will only disclose details that are safe to share to protect our customer’s installations.
Additionally we will inform Atlassian of the vulnerability and any steps we are taking, following Atlassian’s guidelines.
Based on the severity level we will treat the vulnerability as described below. We might add additional measures to best serve your needs, e.g. inform former customers or evaluators if necessary or communicate to individual organisations.