Security vulnerabilities process

Scope

The following describes how and when Broken Build LLP (a provider of downloadable and cloud-based applications through the Atlassian Marketplace) resolve security bugs in our Apps. It does not describe the complete disclosure or advisory process that we follow.

Security bug fix Service Level Objectives (SLO)

We have defined the following timeframes for fixing security issues in our products:

Accelerated resolution timeframes

These timeframes apply to all cloud-based Broken Build LLP Apps, and any other software or system that is managed by Broken Build LLP, or is running on Broken Build LLP infrastructure.

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 2 weeks of being reported

  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 4 weeks of being reported

  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 6 weeks of being reported

  • Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 25 weeks of being reported

Extended resolution timeframes

These timeframes apply to all self-managed Broken Build LLP products.

  • CriticalHigh, and Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 90 days of being reported

  • Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 180 days of being reported


Critical vulnerabilities

When a Critical security vulnerability is discovered by Broken Build LLP or reported by a third party, Broken Build LLP will do all of the following:

  • Issue a new, fixed release for the current version of the affected product as soon as possible

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered we will include a fix in the next scheduled release.

Other information

Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues by Atlassian.