...
Please see the Privacy Policy on where we store data.
How
...
we handle a vulnerability
Important: If you notice a vulnerability, please submit it at a report to https://playsqlrequirementyogi.atlassian.net/servicedesk/customer/portals and: .
- We will investigate as soon as we can and write an internal report,
- If we confirm the vulnerability, we will notify Atlassian,
- If a breach allowed access or alteration of customer data, we also notify our GDPR authorities within 72hrs (namely CNIL, for France),
- If a breach allowed access or alteration of customer data by an external person, we also notify those customers directly.
- If a breach only allowed two users of the same customer to view/edit data they were not permitted to (permission violation), we choose whether we only notify customers through the release notes when delivering the new version, or whether we directly contact customers.
We detect vulnerabilities using:
- Participation to Atlassian's bug bounty program, vulnerabilities reported by Atlassian themselves, and obviously we'll also listen to vulnerabilities reported by external people,
- Regular pentests (once a year),
- NPM's automatic tool (npm audit),
- Maven's automatic tool (Maven Dependency Check, which uses the NIST / OWASP database and also detects NPM-related vulnerabilities).
Notes:
- Automatic tools detect suspects in most common industry libraries quite frequently, whether we are affected or not. Therefore, we do not publish a report for each of them, we simply upgrade the library or ensure we are not using the feature of the library which has the vulnerability. Our release process blocks the release of software anyway until the suspect is resolved.
- If a vulnerability looks grave to us (ability to access or alter customer data), we investigate whether it would have allowed access or alteration of customer data, and we apply the process above.
Please send notifications to https://playsqlrequirementyogi.atlassian.net/servicedesk/customer/portals (In case this portal meets a breach, we are also available by email at security@requirementyogi.com).
...