Actonic makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in Actonic apps for various Atlassian products.
Use the Service Desk portal https://actonic.atlassian.net/servicedesk/customer/portal/8 to submit a bug report.
Scope
The following describes how and when we resolve security bugs in our apps and applies only to applications for various Atlassian products. It does not describe the complete disclosure or advisory process that we follow or any other processes for non-Atlassian related products.
Security bug fix Service Level Agreement (SLA)
We have defined the following timeframes for fixing security issues in our products:
Critical severity bugs will be fixed in an app within 4 weeks of being reported
High severity bugs will be fixed in an app within 6 weeks of being reported
Medium severity bugs will be fixed in an app within 8 weeks of being reported
Critical Vulnerabilities
When a Critical security vulnerability is discovered by Actonic or reported by a third party, Actonic will do all of the following:
Issue a new, fixed release for the current version of the affected product as soon as possible.
Remove the affected release from the marketplace listing to avoid any future usage.
APP | SECURITY UPDATE POLICY |
|---|---|
All the officially supported apps for Server and Data Center products: | We will only issue new bug fix releases for the current release version. Customers should update the app from the marketplace when a bug fix release becomes available to ensure that the latest fixes have been applied. |
All the officially supported apps for Cloud products: | The critical vulnerabilities resolution process does not apply to our Cloud products as these services are always fixed by Actonic without any additional action from customers. |
Non-critical vulnerabilities
When a security issue of a High, Medium or Low severity is discovered, Actonic will include a fix in one of the next scheduled releases.