Vulnerability Disclosure Policy
Report a Vulnerability
If you believe you have found a security issue, please submit a ticket at our support desk.
Security researchers are welcome to ask for an invite to our bug bounty program to become eligible for a bounty payment.
Bug Bounty Program
S/Notify takes part in Atlassian’s Marketplace Bug Bounty program, hosted by the renowned Bugcrowd platform, where security researches work hard to find hidden vulnerabilities. The program effectively extends are own know-how to these experts' deep and wide security knowledge.
In addition to that, the Bug Bounty Program defines minimum response times for any security vulnerabilities found by this program’s security researchers.
Security researchers in this program are bound to not disclose a reported vulnerability before a fix is available.
Safe Harbour
When conducting vulnerability research according to this policy, we consider this research to be
authorised in accordance with the Computer Fraud and Abuse Act (CFAA) in the USA, the so-called hacker paragraph § 202a ff. StGB in Germany, as well as similar laws in other countries, and we will not initiate or support legal action against you for accidental, good faith violations of this policy;
exempt from the Digital Millennium Copyright Act (DMCA) and similar laws in other countries, and we will not bring a claim against you for circumvention of technology controls;
exempt from any restrictions in our End User License Agreement that would interfere with conducting security research, and we waive those restrictions on a limited basis for work done under this policy;
lawful, and helpful to the overall security of the Internet, and conducted in good faith.
Should you have concerns or are uncertain whether your security research is consistent with this policy, please do not hesitate to contact us for clarification.
Bug Fix Policy
While the Bug Bounty program defines minimum response times to fix security vulnerabilities, our aim is to always make security our first priority. Therefore, if high or medium severity vulnerabilities are found and cab be confirmed by us, we start working on them almost immediately.
We always provide fix releases for the same host application versions (Jira, Confluence, Bitbucket) as the app’s previous major or minor release, even if they have gone out of maintenance support in the meantime, so customers will always be able to update to a fix release.
Vulnerability Disclosure Policy
As soon as the fix has been made available, we immediately inform our customers in a security advisory about
which vulnerability has been found
its assessed severity (according to CVSS)
how to mitigate it if possible
how to fix it (usually by installing the fix release)
CVE Database
We also publish vulnerabilities as CVEs (Common Vulnerability Entries) to enable our customers to use vulnerability scanning tools.
However, the publication of CVEs turned out to be cumbersome, so the CVEs might come with some delay or even significant delay after we have already informed our customers and published information here.