Security Bugfix Policy

Scope

The following describes how security bugs are rated and resolved in software provided by Stratus Addons.

Following Atlassian Security Bugfix Policy, all security bugs are assessed according to CVSS v3 scoring system.

Severity Levels

Severity levels are defined by Atlassian policy and are:

• Critical - CVSS v3 score >= 9, to be fixed 2 weeks after discovery

• High - CVSS v3 score >= 7, to be fixed 3 weeks after discovery

• Medium - CVSS v3 score >= 4, to be fixed 5 weeks after discovery

• Low - CVSS v3 score >= 4, to be fixed 6 weeks after discovery

Review

This policy will be kept up to date with requirements stated by Atlassian at all times.