Bug bounty findings found by security researchers through Bugcrowd
Security vulnerabilities reported by the security team as part of reviews
Security vulnerabilities reported by Atlassians
Open Source Consulting Inc. uses Common Vulnerability Scoring System (CVSS) as a method of assessing security risk and prioritization for each discovered vulnerability. CVSS is an industry standard vulnerability metric. You can learn more about CVSS at FIRST.org.
Security advisories include a severity level. This severity level is based on our self-calculated CVSS score for each specific vulnerability.
Critical
High
Medium
Low
For CVSS v3 Open Source Consulting Inc. uses the following severity rating system:
CVSS V3 SCORE RANGE | SEVERITY IN ADVISORY |
9.0 - 10.0 | Critical |
7.0 - 8.9 | High |
4.0 - 6.9 | Medium |
0.1 - 3.9 | Low |
Consumers may use CVSS information as input to an organizational vulnerability management process that also considers factors that are not part of CVSS in order to rank the threats to their technology infrastructure and make informed remediation decisions. Such factors may include: number of customers on a product line, monetary losses due to a breach, life or property threatened, or public sentiment on highly publicized vulnerabilities. These are outside the scope of CVSS.
In cases where Open Source Consulting Inc. takes this approach, we will describe which additional factors have been considered and why when publicly disclosing the vulnerability.
Below are a few examples of vulnerabilities which may result in a given severity level. Please keep in mind that this rating does not take into account details of your installation and are to be used as a guide only.
Vulnerabilities that score in the critical range usually have most of the following characteristics:
Exploitation of the vulnerability likely results in root-level compromise of servers or infrastructure devices.
Exploitation is usually straightforward, in the sense that the attacker does not need any special authentication credentials or knowledge about individual victims, and does not need to persuade a target user, for example via social engineering, into performing any special functions.
For critical vulnerabilities, is advised that you patch or upgrade as soon as possible, unless you have other mitigating measures in place. For example, a mitigating factor could be if your installation is not accessible from the Internet.
Vulnerabilities that score in the high range usually have some of the following characteristics:
The vulnerability is difficult to exploit.
Exploitation could result in elevated privileges.
Exploitation could result in a significant data loss or downtime.
Vulnerabilities that score in the medium range usually have some of the following characteristics:
Vulnerabilities that require the attacker to manipulate individual victims via social engineering tactics.
Denial of service vulnerabilities that are difficult to set up.
Exploits that require an attacker to reside on the same local network as the victim.
Vulnerabilities where exploitation provides only very limited access.
Vulnerabilities that require user privileges for successful exploitation.
Vulnerabilities in the low range typically have very little impact on an organization's business. Exploitation of such vulnerabilities usually requires local or physical system access. Vulnerabilities in third party code that are unreachable from Open Source Consulting Inc. code may be downgraded to low severity.
Open Source Consulting Inc. sets service level objectives for fixing security vulnerabilities based on the security severity level and the affected product. We have defined timeframes for fixing security issues according to our security bug fix policy.
Accelerated Resolution Timeframes apply to:
All cloud-based Open Source Consulting Inc. products
Any other software or system managed by Open Source Consulting Inc. , or running on Open Source Consulting Inc. infrastructure
Extended Resolution Timeframes apply to:
All self-managed Open Source Consulting Inc. products
These are products that are installed by customers on customer-managed systems
SEVERITY LEVELS | ACCELERATED RESOLUTION TIMEFRAMES | EXTENDED RESOLUTION TIMEFRAMES |
Critical | Within 2 weeks of being verified | Within 90 days of being verified |
High | Within 4 weeks of being verified | Within 90 days of being verified |
Medium | Within 6 weeks of being verified | Within 90 days of being verified |
Low | Within 25 weeks of being verified | Within 90 days of being verified |
Get started with a trial for your business
Don't struggle with our apps. Our dedicated team is always available
to help you with any concerns you may have with our products.
Get the inside scoop, previews,
news and other fun stuff.
5F, Narakium Bldg., 32, Teheran-ro 83-gil,, Gangnam-gu, Seoul, Republic of Korea
Tel.+82-2-516-0711 E-mail. atlassian_apps@osci.kr
© Open Source Consulting Inc. All rights reserved.
5F, Narakium Bldg., 32, Teheran-ro 83-gil, Gangnam-gu, Seoul, Republic of Korea
Tel.+82-2-516-0711 E-mail. atlassian_apps@osci.kr
© Open Source Consulting Inc. All rights reserved.