The following describes how and when Y2 ENGINEERING SP ZO.O. (a provider of downloadable and cloud-based applications under the Release Management brand name through the Atlassian Marketplace) resolve security bugs in our Apps. It does not describe the complete disclosure or advisory process that we follow.
We have defined the following timeframes for fixing security issues in our products:
These timeframes apply to all cloud-based Release Management LLC Apps, and any other software or system that is managed by Release Management LLC, or is running on Release Management LLC infrastructure.
Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 2 weeks of being reported
High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 4 weeks of being reported
Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 6 weeks of being reported
Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 25 weeks of being reported
These timeframes apply to all self-managed Release Management LLC products.
Critical, High, and Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 90 days of being reported
Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 180 days of being reported
When a Critical security vulnerability is discovered by Release Management LLC or reported by a third party, Release Management LLC will do all of the following:
Issue a new, fixed release for the current version of the affected product as soon as possible
When a security issue of a High, Medium or Low severity is discovered we will include a fix in the next scheduled release.
Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues by Atlassian.