Effective starting: November 3, 2021
We follow Atlassian's lead, as described in the Security Bug Fix Policy, on how we handle vulnerabilities discovered in our apps.
When we discover or otherwise get notice of a security vulnerability we will set up an incident response team which will assess the vulnerability and rate it according to CVSS v3. You can find a description of the security levels including examples here: atlassian.com - Severity Levels for Security Issues
For all severity levels we will create an issue in our internal Jira disclosing the existence of the vulnerability. We will only disclose details that are safe to share to protect our customer's installations.
We will inform Atlassian of the vulnerability and any steps we are taking, following Atlassian's guidelines .
Based on the severity level we will treat the vulnerability as described below. We might add additional measures to best serve your needs, e.g. inform former customers or evaluators if necessary or communicate to individual organisations.
Medium severity vulnerabilities will be fixed within 8 weeks of coming to our knowledge and will be included in the next scheduled bug fix release.
High severity vulnerabilities will be fixed within 6 weeks of coming to our knowledge and will be released as a bug fix release as soon as possible
Critical severity vulnerabilities will be fixed within 4 weeks of coming to our knowledge and will be released as a bug fix release as soon as possible.