Security Vulnerability Policy
Security Vulnerability Policy
StreamlineSoft makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in StreamlineSoft products.
Scope
This page describes when and how we release security bug fixes for our products. It does not describe the complete disclosure process that we follow.
Security bug fix Service Level Agreement (SLA)
We attempt to meet the following timeframes for fixing security issues.
- Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) should be fixed in product within 1 week of being reported.
- High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) should be fixed in product within 2 weeks of being reported.
- Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) should be fixed in product within 4 weeksof being reported.
Critical vulnerabilities
When a Critical security vulnerability is discovered by StreamlineSoft or reported by a third party, StreamlineSoft will do all of the following:
- Issue a new, fixed release for the current version of the affected product as soon as possible.
- Inform Atlassian and our customers of the vulnerability as well as any steps that we have taken/are taking to address it.
We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.