Hi,
I’m Krystian Brazulewicz, Engineering Manager in the DC Core team at Atlassian
We have worked through your feedback and we wanted to address your most frequent questions.
In February 2022 we introduced a new security requirement for all apps submitted for Data Center App Approval. Apps need to be free from critical- and high-severity security vulnerabilities in third-party dependencies. Partners are obliged to provide the vulnerability scan reports that confirm that. Atlassian is validating those reports using 3rd party security scanner.
Since the kickoff of the project, we were able to significantly reduce the number of vulnerabilities present in the DC Apps available on Atlassian Marketplace. This is a success for our customers who are safer than they used to be. This is a success we owe you and your diligence.
The change to the annual DC App Approval process gave us an improvement but it still doesn’t provide the alignment with the timeframes defined in Security Bug Fix Policy for Marketplace apps. New security issues can be discovered every day and it’s critical to address vulnerabilities as soon as possible to ensure our customers can continuously trust the Atlassian Ecosystem. This is our shared commitment to customers and the rollout of the security scanner for DC Apps improves our ability to act on the newly discovered vulnerabilities in a more agile way. We believe this will improve the security posture of DC Apps even further and will also provide a more convenient way to track security issues for Partners.
What is the date of the rollout of the integration?
We will start the gradual rollout of tracking Data Center app vulnerabilities in the Atlassian Marketplace Security in mid-August 2023.
How does this announcement relate to the one from November 2021?
In the announcement in November 2021, we notified you about the addition of security requirement to the DC App Approval process which went live in February 2022. At that time we planned to roll out the integration with Atlassian Marketplace Security in April 2022. The global situation forced us to postpone going live with this integration but internally we were using it to validate the security reports submitted during the annual DC App Approval process.
Can Atlassian make the vulnerability scanner publicly available?
Atlassian is using a 3rd party solution to identify the vulnerabilities in the open-source libraries. At the moment we are not in the position to endorse any specific solution on the market, nor do we have the technical means to make the vulnerability scanner infrastructure publicly available. Please refer to the Security Scanner for Data Center apps for the available options.
A significant part of your feedback revolved around enabling Partners to use a solution that would guarantee exactly the same scan results. We will reevaluate our technical and legal options in this area and provide an update before the end of September.
We also validated the differences in detected critical- and high-severity vulnerabilities across different tools. Our data shows that differences are marginal (2%) and in those unlikely cases, we’d like to hear from you and resolve the issue.
Is Atlassian changing the policy?
The responsibilities and timelines in the Security Bug Fix Policy for Marketplace apps remain the same. What we are changing is the process of how and how often we inform Partners about the risk of them breaking this policy.
Which dependencies are scanned?
We are only scanning the 3rd party libraries which are bundled with the app. None of the dependencies in the provided scope dependencies are scanned as these are not bundled with the app.
Please refer to Security Scanner for Data Center apps for more technical details.
Suppressing certain vulnerabilities.
We are using this option to exclude confirmed false positives from the report. We are open to discuss your concerns about specific vulnerabilities on a case-by-case basis in your AMS ticket.
Please refer to Security Scanner for Data Center apps for more technical details.