Security Bugfix Policy
Scope
The following describes how security bugs are rated and resolved in software provided by Stratus Addons.
Following Atlassian Security Bugfix Policy, all security bugs are assessed according to CVSS v3 scoring system.
Severity Levels
Severity levels are defined by Atlassian policy and are:
Critical - CVSS v3 score >= 9, to be fixed 2 weeks after discovery
High - CVSS v3 score >= 7, to be fixed 3 weeks after discovery
Medium - CVSS v3 score >= 4, to be fixed 5 weeks after discovery
Low - CVSS v3 score >= 4, to be fixed 6 weeks after discovery
Review
This policy will be kept up to date with requirements stated by Atlassian at all times.