Handling of Security Vulnerabilities
- Thomas Rieder
How to report security vulnerabilities?
Reach out to us using email: support@celix.at. If possible, please encrypt your email with our public key. You can find the current key here (simply search for "support@celix.at").
Please include the following in your mail:
app affected
product, platform & version affected
steps to reproduce
ideas on how to fix the vulnerability
Bug-Bounties
We do not offer bug bounties at this moment.
Responsible Disclosure
We understand that you might want to publish your findings about a vulnerability as soon as possible. Please give us the time to verify the security vulnerability and produce a bugfix for it. For high and critical vulnerabilities we try to offer short SLOs (see below) to not keep you waiting for too long.
Categorization & Service Level Objectives
Vulnerability in the app itself
| Criteria | SLO |
|---|---|---|
Critical | CVSS v2 score >= 8, CVSS v3 score >= 9 | 7 days after verification |
High | CVSS v2 score >= 6, CVSS v3 score >= 7 | 14 days after verification |
Medium | CVSS v2 score >= 3, CVSS v3 score >= 4 | 90 days after verification |
Low | CVSS v2 score < 3, CVSS v3 score < 4 | 180 days after verification |
Vulnerability in a dependency
| Criteria | SLO |
|---|---|---|
Critical | CVSS v2 score >= 8, CVSS v3 score >= 9 | 7 days after fix is available |
High | CVSS v2 score >= 6, CVSS v3 score >= 7 | 14 days after fix is available |
Medium | CVSS v2 score >= 3, CVSS v3 score >= 4 | 90 days after fix is available |
Low | CVSS v2 score < 3, CVSS v3 score < 4 | 180 days after fix is available |
Backporting Policy
We will backport security bugfixes with a priority of critical and high for all LTS releases currently supported by Atlassian. See Atlassian's End of Life Policy for the products currently supported and the list of LTS Releases for which releases qualify.