1. Purpose
We treat confirmed security issues as product safety issues. This policy explains how we handle vulnerability intake, severity assessment, remediation planning, and customer communication for the current app version.
For Atlassian Marketplace cloud apps, we aim to operate in line with Atlassian’s published Marketplace expectations for vulnerability remediation timelines.
2. Scope
This policy applies to confirmed or reasonably suspected security vulnerabilities affecting Campaign Operations Playbook for Confluence, including vulnerabilities in the deployed app runtime, configuration, permissions, bundled code, or release packaging that could affect customers or customer data.
3. Reporting a Security Issue
Please report suspected security issues through the InfraFastlane support page:
Please include the app name, a concise description of the issue, reproduction details if available, affected areas, and any relevant technical evidence. Do not include passwords, access tokens, or confidential data unless specifically requested through an approved support channel.
4. Severity Assessment
We assess vulnerabilities based on severity, exploitability, likely customer impact, and whether there is evidence of real-world abuse. Where useful, we use CVSS-oriented severity language to align communication and remediation planning.
| Severity | CVSS-oriented threshold | Target remediation timeframe |
|---|---|---|
| Critical | 9.0 and above | Within 10 days of report or triage |
| High | 7.0 and above | Within 4 weeks of report or triage |
| Medium | 4.0 and above | Within 12 weeks of report or triage |
| Low | Below 4.0 | Within 25 weeks of report or triage |
If a vulnerability appears actively exploitable or presents immediate customer risk, we may act faster than these target timeframes through mitigations, feature restrictions, emergency updates, or temporary disabling of affected functionality.
5. Investigation and Remediation
- review the report and confirm whether the issue is reproducible
- assess severity and likely customer impact
- decide whether temporary mitigation is needed before a full fix
- prepare and test a product update or configuration change where required
- document the issue, affected versions, and remediation outcome
6. Customer Communication
Where a confirmed vulnerability may affect customers, we will communicate in a way that is clear, honest, and proportionate to the issue. Depending on the situation, this may include direct support communication, customer-facing notices, Marketplace-related coordination, or a formal vulnerability notification.
Separate communication templates are maintained for security incidents and vulnerability notifications:
- https://infrafastlane.dev/security-incident-communication/
- https://infrafastlane.dev/vulnerability-notification/
7. Product Notes for the Current App
The current app version is intentionally narrow in scope. It does not operate an external backend, does not use Forge remote, does not declare external egress, and does not request Confluence read or write scopes. This reduces the likely attack surface, but does not eliminate the need for timely remediation if a confirmed issue is found.
8. Related Pages
- Data Security and Privacy Statement: https://infrafastlane.dev/security/
- Security Incident Communication: https://infrafastlane.dev/security-incident-communication/
- Vulnerability Notification: https://infrafastlane.dev/vulnerability-notification/
- Support: https://infrafastlane.dev/support/