This is a list of all Security Advisories we have published for S/Notify for Jira, Confluence, and/or Bitbucket
Our Security Measures
No software is free of issues. However, security issues require a special treatment, and this is how we strive to provide our software with the highest possible quality with regard to security:
Our apps have to pass automated testing each and every day. Each source code modification will be tested against our set of automated tests.
The main purpose of our automated tests is avoid regressions. Therefore, the apps' core functionality as well as all critical fixes and most other fixes will be guarded by an automated test.
Bug Bounty Program
S/Notify takes part in Atlassian’s Marketplace Bug Bounty program, hosted by the renowned Bugcrowd platform, where security researches work hard to find hidden vulnerabilities. The program effectively extends are own know-how to these experts' deep and wide security knowledge.
In addition to that, the Bug Bounty Program defines minimum response times for any security vulnerabilities found by this program’s security researchers.
Security researches in this program are bound not to disclose vulnerability before a fix is available.
Bug Fix Policy
While the Bug Bounty program defines minimum response times to fix security vulnerabilities, our aim is to always make security our first priority. Therefore, if high or medium severity vulnerabilities are found, we start working on them almost immediately.
As soon as fix has been made available, we immediately inform our customers in a security advisory about
which vulnerability has been found
its assessed severity (according to CVSS)
how to mitigate it if possible
how to fix it (usually by installing the fix release)
We use the email address of your technical contact as provided in the license and transaction data.
Please always make sure that you have provided a working and useful email address – otherwise we won’t be able to reach you!
We will also post an information on the apps' status page. We recommend that you subscribe to it.
We always provide fix releases for the same host application versions as the app’s previous major or minor release, even if they have gone out of maintenance support in the meantime, so customers will always be able to update to a fix release.
We also publish vulnerabilities as CVEs (Common Vulnerability Entries) to enable our customers to use vulnerability scanning tools.
However, the publication of CVEs turns out to be cumbersome, so the CVEs might come with some delay after we have already informed our customers and published information here.