Security Bug Fix Service Level Agreement for Atlassian Plugins
Security bugs
We have defined the following time-frames for fixing security issues in our products based on the CVSS v3 scoring system:
-
Critical severity bugs (score >= 9) to be fixed in product within 4 weeks of being reported
-
High severity bugs (score >= 7) to be fixed in product within 5 weeks of being reported
-
Medium severity bugs (score >= 4) to be fixed in product within 6 weeks of being reported
Critical Vulnerabilities
When a Critical security vulnerability is discovered or reported by a third party, we will issue a new, fixed release for the current version of the affected product as soon as possible (see above). We will additionally issue a new maintenance release for the previous 2 versions if they have been released within the last 6 months from the release date of the fix.
Non-critical vulnerabilities
When a security issue of a High, Medium or Low severity is discovered, we will include a fix in the next scheduled release or may issue an early release.