We follow Atlassian's Security Bug Fix Policy on how we handle vulnerabilities discovered in our apps.
When we discover or get notified of a security vulnerability, we will assess the vulnerability and rate it according to CVSS v3. You can find a description of the security levels here.
For all severity levels, we will create a Security Advisory page in our Help Center. This page will only be made public when a bug fix release is available to secure the vulnerability. We will only disclose details that are safe to share to protect our customer's installations. Additionally, we will inform Atlassian of the vulnerability and any steps we are taking, following Atlassian's guidelines.
Based on the severity level, we will treat the vulnerability as described below. We might add additional measures to best serve your needs, e.g., inform former customers or evaluators if necessary or communicate to individual organizations.
Medium severity level
Medium severity vulnerabilities will be fixed within 8 weeks of coming to our knowledge and will be included in the next scheduled bug fix release.
High severity level
High severity vulnerabilities will be fixed within 6 weeks of coming to our knowledge and will be included in the next scheduled bug fix release.
Critical severity level
Critical severity vulnerabilities will be fixed within 4 weeks of coming to our knowledge and will be released as a bug fix release as soon as possible.
Moreover, we will send a Security Advisory email to all known customers and evaluators, i.e., the contacts for the licenses registered at my.atlassian.com.