Hi @remie - thanks for the reply.
These are all great questions, and I’m going to be honest and say I don’t hold all the answers. What I do know is that we in Ecosystem Security try to be as reasonable as possible, and ultimately want to work together to ensure the security of our joint customers.
In cases where Atlassian is the cause of a security related issue, we are more than happy to work together to get the issue resolved - and for pretty much all of the cases we’ve been involved in, open communication between vendors and the Ecosystem Security team has resulted in an agreeable outcome on both sides.
It’s not in either of our best interests for us to get to a stage where we need to consider removing apps from the marketplace, we don’t want to do it, and don’t take that action lightly.
The only times where we’ve been forced to review an apps distribution status in the Atlassian Marketplace is when there have been (particularly nasty) vulnerabilities within apps, and the vendor has gone completely off the grid and - despite our best efforts - we were unable to make contact with the vendor.
As I said - we’re still hard at work putting all of the pieces of the puzzle together to help increase the security of our ecosystem, and so I don’t currently have all the answers - but as long as there has been an open dialog, we haven’t had any issues so far in coming to reasonable solutions to any problem that we have faced with our vendor community (and so thank you all for your ongoing outreach and feedback).
Generally, if you need guidance on specific packages, or specific issues you’re facing, the best way to get that guidance is by creating an ESSD ticket here.