Skip to main content
Skip table of contents

Vulnerability Disclosure Policy

Report a Vulnerability

If you believe you have found a security issue, please submit a ticket at our support desk.

Security researchers are welcome to ask for an invite to our bug bounty program to become eligible for a bounty payment.

Bug Bounty Program

S/Notify takes part in Atlassian’s Marketplace Bug Bounty program, hosted by the renowned Bugcrowd platform, where security researches work hard to find hidden vulnerabilities. The program effectively extends are own know-how to these experts' deep and wide security knowledge.

In addition to that, the Bug Bounty Program defines minimum response times for any security vulnerabilities found by this program’s security researchers.

Security researches in this program are bound not to disclose vulnerability before a fix is available.

Safe Harbour

When conducting vulnerability research according to this policy, we consider this research to be

  • authorised in accordance with the Computer Fraud and Abuse Act (CFAA) and similar laws in other countries, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;

  • exempt from the Digital Millennium Copyright Act (DMCA) and similar laws in other countries, and we will not bring a claim against you for circumvention of technology controls;

  • exempt from any restrictions in our End User License Agreement that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;

  • lawful, and helpful to the overall security of the Internet, and conducted in good faith.

Should you have concerns or are uncertain whether your security research is consistent with this policy, please do not hesitate to contact us for clarification.

Bug Fix Policy

While the Bug Bounty program defines minimum response times to fix security vulnerabilities, our aim is to always make security our first priority. Therefore, if high or medium severity vulnerabilities are found and cab be confirmed by us, we start working on them almost immediately.

We always provide fix releases for the same host application versions (Jira, Confluence, Bitbucket) as the app’s previous major or minor release, even if they have gone out of maintenance support in the meantime, so customers will always be able to update to a fix release.

Vulnerability Disclosure Policy

As soon as fix has been made available, we immediately inform our customers in a security advisory about

  • which vulnerability has been found

  • its assessed severity (according to CVSS)

  • how to mitigate it if possible

  • how to fix it (usually by installing the fix release)

CVE Database

We also publish vulnerabilities as CVEs (Common Vulnerability Entries) to enable our customers to use vulnerability scanning tools.

However, the publication of CVEs turned out to be cumbersome, so the CVEs might come with some delay or even significant delay after we have already informed our customers and published information here.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.