...
The following describes how and when Broken Build LLC LLP (a provider of downloadable and cloud-based applications through the Atlassian Marketplace) resolve security bugs in our Apps. It does not describe the complete disclosure or advisory process that we follow.
...
These timeframes apply to all cloud-based Broken Build LLC LLP Apps, and any other software or system that is managed by Broken Build LLCLLP, or is running on Broken Build LLC LLP infrastructure.
Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 2 weeks of being reported
High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 4 weeks of being reported
Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 6 weeks of being reported
Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 25 weeks of being reported
...
These timeframes apply to all self-managed Broken Build LLC LLP products.
Critical, High, and Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 90 days of being reported
Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 180 days of being reported
...
When a Critical security vulnerability is discovered by Broken Build LLC LLP or reported by a third party, Broken Build LLC LLP will do all of the following:
...
Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues by Atlassian.No labels