Security Bug Fix Policy

The following describes how and when we resolve security bugs in Visor products. It does not describe the complete disclosure or advisory process that we follow.

Security bug fix Service Level Objectives (SLO)

We have defined the following timeframes for fixing security issues in our products:

Accelerated Resolution Timeframes

Visor uses the Common Vulnerability Scoring System (CVSS) to judge the severity of our software vulnerabilities. See the National Institute of Standards and Technology site for more information on CVSS .These timeframes apply to app.visor.us, and any other software or system that is managed by Visor, or is running on Visor infrastructure.

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed and released in product within 2 weeks of being reported
  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed and released in product within 4 weeks of being reported
  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed and released in product within 6 weeks of being reported
  • Low severity bugs (CVSS v2 score < 3, CVSS v3 score < 4) to be fixed and released in product within 10 weeks of being reported

Critical Vulnerabilities

When a Critical security vulnerability is discovered by Visor or reported by a third party, Visor will do all of the following:

  • Deploy a new, fixed release for the current version of the affected product as soon as possible.
  • Notify all customers that are affected by the vulnerability, and inform them of next steps on how to protect their data.
  • Notify Atlassian by filing an App Security Ticket in accordance with the Security Incident Response section of our Information Security Policy
  • Perform a postmortem analysis on what caused the vulnerability in our system and how we can go about preventing similar events in the future, with a close eye on updating our existing processes to be more secure.

Other information

Since Visor exists primarily as a web application, there should be no further action required from users when a security patch is released aside from refreshing their browser. We will notify our users when something goes wrong in accordance with the Security Incident Response section of our Information Security Policy.

We are continuously evaluating our policies based on customer feedback and internal reviews and will provide any updates or changes on this page in the future.