The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.
Security bug fix Service Level Agreement (SLA)
We have defined the following timeframes for fixing security issues in our products:
- Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 4 weeks of being reported
- High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 6 weeks of being reported
- Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 8 weeks of being reported
The following critical vulnerabilities resolution policy excludes our Cloud products, as these services are always fixed by Atlassian without any additional action from customers.
When a Critical security vulnerability is discovered by Xpand IT or reported by a third party, Xpand IT will do all of the following:
- Issue a new, fixed release for the current version of the affected product as soon as possible.
- All feature versions (e.g. 3.2, 3.3) released within 6 months of the date the fix is released