We follow Atlassian's lead, as described in the Security Bug Fix Policy, on how we handle vulnerabilities discovered in our apps.
When we discover or otherwise get notice of a security vulnerability we will set up an incident response team which will assess the vulnerability and rate it according to CVSS v3. You can find a description of the security levels including examples here.
For all severity levels we will create an issue of type Security Advisory in our Jira disclosing the existence of the vulnerability. This issue will only be made public when a bug fix release is available to secure the vulnerability. We will only disclose details that are safe to share to protect our customer's installations.
Additionally we will inform Atlassian of the vulnerability and any steps we are taking, following Atlassian's guidelines.
Based on the severity level we will treat the vulnerability as described below. We might add additional measures to best serve your needs, e.g. inform former customers or evaluators if necessary or communicate to individual organisations.
Medium severity level
Medium severity vulnerabilities will be fixed within 8 weeks of coming to our knowledge and will be included in the next scheduled bug fix release.
High severity level
High severity vulnerabilities will be fixed within 6 weeks of coming to our knowledge and will be included in the next scheduled bug fix release.
Critical severity level
Critical severity vulnerabilities will be fixed within 4 weeks of coming to our knowledge and will be released as a bug fix release as soon as possible.
Furthermore we will send a Security Advisory email to all known customers and evaluators, i.e. the contacts for the licenses registered at my.atlassian.com.