1. Scope and Purpose
We treat confirmed security issues as product safety issues. This policy explains how we handle vulnerability intake, severity assessment, remediation planning, and customer communication for the products covered on this page.
For Atlassian Marketplace cloud apps, we aim to operate in line with Atlassian’s published Marketplace expectations for vulnerability remediation timelines.
2. Covered Products
| Product | Current purpose |
|---|---|
| Campaign Operations Playbook for Confluence | Provides structured campaign planning, launch, reporting, and retrospective workflow content inside Confluence. |
| Content Workflow Templates for Confluence | Provides structured content intake, briefing, planning, review, publishing, and performance workflow content inside Confluence. |
This policy applies to confirmed or reasonably suspected vulnerabilities affecting the current covered products, including deployed app runtime behavior, configuration, permissions, bundled code, release packaging, or security-relevant documentation and communication that could affect customers or customer data.
3. Reporting a Security Issue
Please report suspected security issues through the InfraFastlane support page:
Please include the affected product name, a concise description of the issue, reproduction details if available, affected areas, and any relevant technical evidence. Do not include passwords, access tokens, or confidential data unless specifically requested through an approved support channel.
4. Severity Assessment
We assess vulnerabilities based on severity, exploitability, likely customer impact, and whether there is evidence of real-world abuse. Where useful, we use CVSS-oriented severity language to align communication and remediation planning.
| Severity | CVSS-oriented threshold | Target remediation timeframe |
|---|---|---|
| Critical | 9.0 and above | Within 10 days of report or triage |
| High | 7.0 and above | Within 4 weeks of report or triage |
| Medium | 4.0 and above | Within 12 weeks of report or triage |
| Low | Below 4.0 | Within 25 weeks of report or triage |
If a vulnerability appears actively exploitable or presents immediate customer risk, we may act faster than these target timeframes through mitigations, feature restrictions, emergency updates, or temporary disabling of affected functionality.
5. Shared Investigation and Remediation Approach
- review the report and confirm whether the issue is reproducible
- assess severity and likely customer impact
- decide whether temporary mitigation is needed before a full fix
- prepare and test a product update or configuration change where required
- document the issue, affected versions, and remediation outcome
- coordinate customer and Marketplace communication where appropriate
6. Product Notes for the Current App Portfolio
Campaign Operations Playbook for Confluence
The current version is intentionally narrow in scope. It does not operate an external backend, does not use Forge remote, does not declare external egress, and does not request Confluence read or write scopes.
Content Workflow Templates for Confluence
The current version follows the same low-permission model. It is intended to let users browse, search, preview, and copy workflow content without automatically creating, editing, deleting, reading, exporting, or analyzing customer Confluence pages.
7. Customer Communication
Where a confirmed vulnerability may affect customers, we will communicate in a way that is clear, honest, and proportionate to the issue. Depending on the situation, this may include direct support communication, customer-facing notices, Marketplace-related coordination, or a formal vulnerability notification.
Separate communication templates are maintained for security incidents and vulnerability notifications:
- https://infrafastlane.dev/security-incident-communication/
- https://infrafastlane.dev/vulnerability-notification/
8. Related Pages