The following table outlines a vulnerability’s timeframe for resolution by severity type for our app.
Severity | CVSS Score | Timeframe for resolution |
---|---|---|
Critical | CVSS v3 >= 9.0 | Must be fixed within 4 weeks of being reported or triaged. |
High | CVSS v3 >= 7.0 | Must be fixed within 6 weeks of being reported or triaged. |
Medium | CVSS v3 >= 4.0 | Must be fixed within 8 weeks of being reported or triaged. |
Low | CVSS v3 < 4.0 | Must be fixed within 25 weeks of being reported or triaged. |
Data Center and Server Apps
The following table outlines a vulnerability’s timeframe for resolution by severity type for data center and server apps.
Severity | CVSS Score | Timeframe for resolution |
---|---|---|
Critical | CVSS v3 >= 9.0 | Must be fixed within 90 days of being reported or triaged. |
High | CVSS v3 >= 7.0 | Must be fixed within 90 days of being reported or triaged. |
Medium | CVSS v3 >= 4.0 | Must be fixed within 90 days of being reported or triaged. |
Low | CVSS v3 < 4.0 | Must be fixed within 180 days of being reported or triaged. |
Enforcement
Failure to meet vulnerability due dates reported in AMS may result in either temporary or permanent enforcement. Atlassian does not take enforcement lightly, and is committed to working with partners to determine a plan in addressing vulnerabilities by their due dates.
The following enforcement happens once the due date is breached. Vulnerabilities that pose the most risk to customers will be taken the most seriously. Therefore, there are differences in enforcement based on the severity of the vulnerability and the hosting type.
Severity | Cloud | Data Center & Server |
---|---|---|
Critical | Hide the app | Hide the app |
High |
| Hide the app |
Medium |
| Hide the app |
Low |
|
0 Comments