@JakeComito If Atlassian scans an app and the result is “not vulnerable”, then the app vendor will not be notified, correct?
In other words, if the vendor doesn’t hear from Atlassian, then it is either because its app wasn’t scanned or it was scanned, but the vulnerability was not found in it?
(By the questions, I wanted to suggest that maybe Atlassian should notify the app vendor even if “we scanned your app and it looks OK”.)