Security Vulnerabilities Process

Topics

Introduction

The following describes how and when Y2 ENGINEERING SP ZO.O. (a provider of downloadable and cloud-based applications under the Release Management Apps (“Release Management”) brand name through the Atlassian Marketplace) resolve security bugs in our Apps. It does not describe the complete disclosure or advisory process that we follow.

Security bug fix Service Level Objectives (SLO)

We have defined the following timeframes for fixing security issues in our products:

Accelerated resolution timeframes

These timeframes apply to all cloud-based Release Management LLC Apps, and any other software or system that is managed by Release Management LLC, or is running on Release Management LLC infrastructure.

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 2 weeks of being reported

  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 4 weeks of being reported

  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 6 weeks of being reported

  • Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 25 weeks of being reported

Extended resolution timeframes

These timeframes apply to all self-managed Release Management LLC products.

  • CriticalHigh, and Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 90 days of being reported

  • Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed in product within 180 days of being reported


Critical vulnerabilities

When a Critical security vulnerability is discovered by Release Management LLC or reported by a third party, Release Management LLC will do all of the following:

  • Issue a new, fixed release for the current version of the affected product as soon as possible

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered we will include a fix in the next scheduled release.

Other information

Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues by Atlassian.

Reporting Security Vulnerabilities

This section of the document aimed to outline details on how customers and their teams can report security vulnerabilities found in the App and the process for Release Management (by Y2 ENGR.) responding to such requests.

Background

We keep a high standard of information security within our Apps and solutions. Therefore we are welcoming any information on potential vulnerabilities you might have found. We aim to take every issue reported, acknowledge the problem (is any) and fix in reasonable time. Over the course of resolutions we are happy to keep an open conversation about root causes and paths we are taking to address. We will also inform other clients about critical vulnerabilities found as outlined above in this document.

How to report security vulnerabilities?

Anyone can report security vulnerabilities. We are not limiting this to authorized people only (people holding customer licenses or executing the latest transaction). Sametime we appreciate the indication of the client to help us streamline the investigation.

Security issues should be sent either via our Service Desk Portal (https://releasemanagement.atlassian.net/servicedesk/customer/portal/11/group/16/create/80) or sent via support email (security@releasemanagement.app).

We will acknowledge the issue within 24 hours and advice on mitigation timelines or reject the request providing inside out details.

Resolution timeframes are dependent on criticality and match the timelines outlined above.

All the communication about the reported issue should be made in scope of Service Desk ticket created or email thread initiated.