Skip to end of banner
Go to start of banner

SLA

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

The following table outlines a vulnerability’s timeframe for resolution by severity type for our app.

Severity

CVSS Score

Timeframe for resolution

Critical

CVSS v3 >= 9.0

Must be fixed within 4 weeks of being reported or triaged.

High

CVSS v3 >= 7.0

Must be fixed within 6 weeks of being reported or triaged.

Medium

CVSS v3 >= 4.0

Must be fixed within 8 weeks of being reported or triaged.

Low

CVSS v3 < 4.0

Must be fixed within 25 weeks of being reported or triaged.

Data Center and Server Apps

The following table outlines a vulnerability’s timeframe for resolution by severity type for data center and server apps.

Severity

CVSS Score

Timeframe for resolution

Critical

CVSS v3 >= 9.0

Must be fixed within 90 days of being reported or triaged.

High

CVSS v3 >= 7.0

Must be fixed within 90 days of being reported or triaged.

Medium

CVSS v3 >= 4.0

Must be fixed within 90 days of being reported or triaged.

Low

CVSS v3 < 4.0

Must be fixed within 180 days of being reported or triaged.

Enforcement

Failure to meet vulnerability due dates reported in AMS may result in either temporary or permanent enforcement. Atlassian does not take enforcement lightly, and is committed to working with partners to determine a plan in addressing vulnerabilities by their due dates.

The following enforcement happens once the due date is breached. Vulnerabilities that pose the most risk to customers will be taken the most seriously. Therefore, there are differences in enforcement based on the severity of the vulnerability and the hosting type.

Severity

Cloud

Data Center & Server

Critical

Hide the app

Hide the app

High

  • If the app has no badges, then Atlassian will hide the app on the first day the due date is breached.

  • If the app has at least one badge, then Atlassian will:

    • remove badge(s) on the first day the due date is breached;

    • hide the app if the due date is breached for more than 15 days

Hide the app

Medium

Only applies when the enforcement threshold is met, which is 3 active medium due date breaches

  • If the app has no badges, then Atlassian will hide the app on the first day the due date is breached.

  • If the app has at least one badge, then Atlassian will:

    • remove badge(s) on the first day the due date is breached;

    • hide the app if the due date is breached for more than 15 days

Hide the app

Low

Only applies when the enforcement threshold is met, which is 4 active low due date breaches

  • If the app has no badges, then Atlassian will hide the app on the first day the due date is breached.

  • If the app has at least one badge, then Atlassian will:

    • remove badge(s) on the first day the due date is breached;

    • hide the app if the due date is breached for more than 15 days

  • No labels