Trust and security are incredibly important to our customers. App trust is one of their prevailing concerns, especially as they migrate to the cloud. Our customers expect all apps in the marketplace to be secure, and they expect Atlassian to help them determine which apps are prioritizing security and implementing strong security practices.
In an effort to address these concerns, and to alleviate blockers to customers’ transition to the cloud, Atlassian is working hard to improve upon our programs and capabilities that build trust in all of our apps on the Marketplace, and to make security indicators more transparent to customers. That is why we recently implemented our new Security Bug Fix Policy, created the App Security Transparency Page, and included the impact to apps in Product Security Advisories, such as the Log4j vulnerability.
What’s new?
We believe that, long-term, transparency around app and vendor security practices will benefit both customers and our developer community by reducing friction in the app evaluation process.
In addition to our recent efforts to make app security more transparent, partners can now opt in to allow Security Self-Assessment responses to be shared with customers who are evaluating their app. The responses will be shared directly with customers upon request; they will not be public-facing.
You can expect more enhancements to our Security Self-Assessment Program in the future; however, for now, we will be asking partners to give us consent to share your submissions.
Please note the following about this change:
- Atlassian will not share responses to the Security Self-Assessment without explicit consent, which you can provide by submitting this form.
- Consent is provided once, and is specific to the results of the Security Self-Assessment. If you happen to change your mind after submitting the form, you can open a DEVHELP ticket to change your response.
- You can resubmit the Self-assessment before consenting to it being shared by clicking, "I consent to Atlassian sharing self-assessment responses with customers only after I resubmit my responses," and then choosing a date when Atlassian can start sharing the results.
Atlassian will only share your results after approving your Self-assessment submission. Your submission has been approved if you have the green checkmark next to "This partner has completed the Security Self-Assessment Program" on your apps’ Overview Page. Atlassian will share your results as they are, without providing any additional information. Customers with unanswered questions will be asked to contact you directly.
For partners with multiple apps, please note that you are submitting this consent for all apps owned by you on the Atlassian Marketplace.
Next steps
We think this change will increase app transparency, improve customer sales cycles, and overall, make the Marketplace more secure. Let us know if you have any questions!