Security Incident Notification Procedure

Purpose

At miniOrange, we take security seriously. In the unlikely event that a vulnerability is discovered in our products, we follow a structured process to notify Atlassian and impacted customers, resolve the issue, and prevent future incidents. This document describes the process miniOrange follows to notify Atlassian and impacted customers in the event of a security vulnerability affecting our cloud apps. It ensures timely reporting, coordination, and mitigation while respecting the cloud environment constraints and user privacy.

Step 1: Identify and Assess the Vulnerability

• Vulnerabilities may be identified by Atlassian, miniOrange, customers, or third parties.
• The Support Team, Security Team, and Incident Manager evaluate the issue to determine its severity (Critical, High, Medium, Low).
• Teams are assigned to handle remediation, customer communications, and coordination with Atlassian.
• Cloud-specific note: Since miniOrange operates within Atlassian Cloud/Forge, we cannot isolate customer systems. Instead, app processes or access to sensitive configurations may be temporarily restricted if required to mitigate risk.

Step 2: Notify Atlassian

• The Support and Security Teams open an App Security Incident ticket with Atlassian within 12 hours of confirming the vulnerability.
• The ticket includes:
  • Nature and severity of the vulnerability
  • Date and time of identification
  • Components or app features affected
  • Initial mitigation steps taken
  • miniOrange coordinates with Atlassian throughout the incident resolution to ensure timely guidance to affected customers.

Step 3: Notify Customers & Plan Remediation

• Impacted customers are notified promptly (generally within 24 hours).
• The Development Team, Security Team, and Testing Team collaborate to plan and implement a fix.
• Customers receive guidance on mitigation, temporary workarounds, or preventive steps.
• All remediation steps are tested and verified before release.

Step 4: Release and Follow-Up

• The verified fix is deployed according to standard release practices.
• The Change Control Board reviews the release and confirms that mitigation steps are complete.
• Affected customers are informed and encouraged to update to the latest app version.
• All incident details, customer communications, and remediation actions are logged for auditing and continuous improvement.

Cloud-Specific Considerations

• No direct access or control over customer data outside the app’s granted scopes is required or performed.
• All logs, app configurations, and credentials used during remediation follow encryption, access control, and retention policies outlined in the miniOrange Privacy Policy.
• Any temporary restrictions on app operations are limited to the runtime environment and do not interfere with other Atlassian tenant operations.

Logging & Audit

• All actions taken during the vulnerability lifecycle are logged, including:
  • Issue summary and severity
  • Teams and personnel involved
  • Customer notifications and communications
  • Remediation steps, testing results, and release details
• Logs are retained for at least 90 days and are accessible only to authorized personnel.