Hiya, everyone! TL;DR Atlassian is working to make relevant security information more accessible to customers so that it’s easier for them to buy your apps. The beginning of those changes are highlighted below.
Trust and security are incredibly important to our customers. App trust is one of their prevailing concerns, especially as they migrate to the cloud. Our customers expect all apps in the marketplace to be secure, and they expect Atlassian to help them determine which apps are prioritizing security and implementing strong security practices.
In an effort to address these concerns, partners can now opt in to allow Security Self-Assessment responses to be shared with customers who are evaluating their app. The responses will be shared directly with customers upon request; they will not be public-facing.
Learn more about this update on the developer blog. We’ve included more details about how you can opt in, what we share, and how you can request changes to your response. If you have any questions, please comment in the thread!
I generally like this initiative but wonder if the existing self-assessment questionnaire is really sufficient for customers. Filling and updating CAIQ Lite annually is certainly more work than the existing self-assessment questionnaire but I felt partners and customers would get much more value from it. I also liked the CAIQ Lite initiative because it is something that is known in the industry and to customers. Also, the feedback from the review of the CAIQ Lite submission was very useful (this feedback loop does not exist with the self-assessment questionnaire).
We get security questionnaires from customers here and there and I can say they generally always go beyond what is in the existing self-assessment questionnaire (sometimes even beyond CAIQ Lite).
Hi @JakeComito. I am new here and we are making a lot of changes here to our security program so I was wondering if there is a way to update and review our self assessment on an ongoing basis rather than once a year.
In an effort to address these concerns, partners can now opt in to allow Security Self-Assessment responses to be shared with customers who are evaluating their app. The responses will be shared directly with customers upon request; they will not be public-facing.
I’d like to opt-in and then approve each request before my answers are shared as I’m concerned this information will encourage “beg bounty” extortion attempts.
Hey, everyone! Please see the answers to all of these questions below. Thanks for your patience, and thanks to all of you who have already submitted the consent form!
@boris , we will only share consented responses to customers who make direct requests to Atlassian.
@tbinna , we are planning to make security information easier to access and understand, and we are considering future changes to this program to help support our goal of transparency. We discontinued that CAIQ Lite program, but that does not mean it’s completely off-the-table forever. It’s interesting to hear that you liked the goals of that initiative - please feel free to reach out with more feedback! I’m all ears.
@DougKersten , welcome, welcome! You can re-submit the self-assessment every time you make changes that impact your responses. Please follow the steps outlined here. This is a good practice, especially if you consent to us sharing responses with customers. This will ensure that we’re always sharing the most up-to-date information. I hope this helps, and I’m glad to hear that you are enhancing your security programs! PS. @anshuman , this should answer your question, as well.
@danielwester, I am sensing that you’re interested in communicating with customers directly about security. I think that’s great, and I’d encourage you to do so! Currently, the only security information we make available to customers is participation in programs and now these responses, if you consent to it. You can position these responses however you want. Also, you can link public documentation that you want shared with customers in your self-assessment responses that you submit to Atlassian. If you have feedback on other information that you would like us to showcase to customers in the future, please let me know!
@james.dellow , we’re not allowing consent on a per-customer basis at this time.
I think what @danielwester is referring to is that we made the answers fit the audience. How we talk to Atlassian is different than how we would talk to a customer. So, I’d almost like a way to have more information that’s shared to Atlassian that’s not shared directly to the customer.
What % of customers that are security conscious (I would also be interested to understand what information tends to qualify a customer into this segment from Atlassian’s perspective) aren’t working with a Partner on Atlassian Cloud interactions?
Do customers working with Partners now need to have an out of band conversation with Atlassian?
All different types of customers ask Atlassian about Trust across all of our offerings, including Marketplace. I don’t have a percentage of customers to share with you. And to address your last question, no - there’s no new requirement.
Can you please share the expected user journey (as it related to this thread) for a customer moving from Server to Cloud who is working with an Atlassian Solutions Partner?
We’re both a Marketplace and a Solution Partner and are actively working with multiple enterprises planning a Cloud migration where app security is a key risk item. Understanding how this is going to work for this type of scenario is of interest to me in both of those personas.
Hi @boris -
We hear from Solution Partners and internal sales teams alike that customers are struggling with the effort required to evaluate risk across their many Marketplace Apps as they’re considering migrating to Cloud. This is typically part of the pre-sales due diligence process as they’re building towards making a financial investment in cloud.
We would like to reduce the friction that our Sales teams and Solution Partners face in this due diligence process by making security information more readily available to customers. We don’t yet know the vehicle with which we will make this information available to Solution Partners in service of client engagements. I hope this helps you understand the intention of requesting your consent and how it helps us better serve client needs in their evaluation of migrating to Cloud.
Quick question – if we’d like to make some slight changes to our self-assessment, before we provide our consent, how should we proceed? Should we insert a new Self-Assessment ticket? Should we add a comment to the initial ticket? Is there a clear procedure?
Locate the confirmation email you received when you submitted the form initially.
Make the necessary edits.
Add a comment to summarize the key changes that you have made.
Additionally, in our consent form, you can indicate the following: “I consent to Atlassian sharing self-assessment responses with customers only after I resubmit my responses,” and then pick a date for when you will resubmit the form by.
I have also seen the instructions available here (the same as in your answer) but I’m not sure these are up to date. The Self-Assessment has been submitted through the support portal available here. We have access to the support ticket which is currently in the Approved status, but we cannot edit it anymore and we cannot reopen it either. This is why I asked, how can we modify our answers, how can we make the necessary edits? The confirmation email is an automatic notification from JSM saying that the status of our request was changed to Approved and that’s all we have.
Please advise. Thanks and looking forward to your reply.
I have a customer who wants to see our response to the questionnaire. We have oped into the program. Where should the customer request this information?
Hi Boris - We are building an operating model to scale these answers via our field teams and solution partners in the short term and via marketplace.atlassian.com in the medium term. We don’t have the details to share yet as getting permission from our partners to share this information was a key dependency to launching the operating model.
In the interim, please respond directly to the customer with your security questionnaire answers as you deem appropriate.
Were you able to see my question above? How can we update our self-assessment? The instructions available on this page don’t seem up to date. The AMKTHELP ticket is not editable.
TL;DR Atlassian is working to make relevant security information more accessible to customers so that it’s easier for them to buy your apps. The beginning of those changes are highlighted below.