SECURITY BUG FIX POLICYWe make it a priority to ensure that our customers' systems cannot be compromised by exploiting vulnerabilities in our apps. The following describes how and when we resolve security bugs in our apps. It does not describe the complete disclosure or advisory process that we follow.
Security Bug Fix Service Level Objectives (SLO)We have defined the following target timeframes for fixing security issues in our products. StonikByte will make all possible efforts to fix the security issues in the proposed timeframe, but will not be responsible for delays caused by the Client or for reasons beyond StonikByte's control.
✔ Critical severity bugs to be fixed within 2 weeks of being reported
✔ High severity bugs to be fixed within 4 weeks of being reported
✔ Medium severity bugs to be fixed within 6 weeks of being reported
✔ Low severity bugs to be fixed within 12 weeks of being reported
Critical VulnerabilitiesWhen a Critical security vulnerability is discovered by StonikByte or reported by a third party, StonikByte will do all of the following:
✔ Notify Atlassian by opening an App Security Incident ticket and stay in contact with the Atlassian security team via the ticket until the issue resolution.
✔ Issue a new release for the current version of the affected app as soon as possible.
✔ Notify (via e-mail) the affected customers that have a valid maintainance subscription / license and ask them to upgrade to the latest version containing the fix.
Non-critical VulnerabilitiesWhen a security issue of a High, Medium or Low severity is discovered, StonikByte will include a fix in the next scheduled release. You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.
Severity Levels for Security IssuesThe table below indicates how we determine the severity of the security issues.
✔ Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
✔ Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
✔ The vulnerability is difficult to exploit.
✔ Exploitation could result in elevated privileges.
✔ Exploitation could result in a significant data loss or downtime.
✔ Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
✔ Denial of service vulnerabilities that are difficult to set up.
✔ Exploits that require an attacker to reside on the same local network as the victim.
✔ Vulnerabilities where exploitation provides only very limited access.
✔ Vulnerabilities that require user privileges for successful exploitation.
✔ Vulnerabilities in the low range typically have very little impact on an organization's business. Exploitation of such vulnerabilities usually requires local or physical system access.