Security Incident Reporting Process

1. Purpose

This document outlines the process for identifying, reporting, and responding to security incidents related to our Confluence Cloud apps. The goal is to ensure a rapid and effective response to mitigate risks and protect customer data.

2. Scope

This process applies to all employees, contractors, and third parties who develop, maintain, or support our Confluence Cloud apps.

3. Definitions

• Security Incident: Any event that may compromise the confidentiality, integrity, or availability of our applications, data, or infrastructure.

• Incident Response Team (IRT): A designated group responsible for managing security incidents including the Development Team Lead, Product Owner and QA Team.

4. Incident Identification

Security incidents may be identified through various sources, including but not limited to:

• Internal monitoring and security alerts

• Customer reports

• Bug bounty programs

• Atlassian Marketplace or Atlassian Security team notifications

• External security researchers

5. Incident Reporting

5.1 Immediate Actions

When an incident is identified, the following steps should be taken immediately:

• Do not attempt to fix the issue without proper authorization.

• Collect relevant details, including:

  • Description of the issue

  • Date and time of detection

  • Affected systems or applications

  • Any logs, screenshots, or evidence

5.2 Reporting Channels

Security incidents must be reported immediately to the Incident Response Team (IRT) through one of the following channels:

• Email: support@addteq-software.atlassian.net

• Atlassian Ecosystem Security Service Desk: https://ecosystem.atlassian.net/servicedesk/customer/portal/29

• Internal Ticketing System:

• Emergency Contact: Dev Team Lead contact info is provided internally

6. Incident Assessment & Classification

The IRT will assess and classify the incident based on its severity and impact:

• Low: Minor security issue with no direct impact on customers.

• Medium: A potential risk with limited impact.

• High: A confirmed vulnerability with customer data exposure risk.

• Critical: Active exploitation or severe data breach.

7. Incident Response & Mitigation

Based on classification, the IRT will take the following steps:

• Low/Medium Severity:

  • Log the issue and track it through resolution.

  • Apply patches or updates as necessary.

• High/Critical Severity:

  • Immediately contain the issue.

  • Notify affected customers if applicable.

  • Work with Atlassian security teams if necessary.

  • Deploy fixes and monitor for further threats.

  • Create RCA document and add to public knowledge base

8. Communication & Notification

If the incident affects customers, the company will:

• Notify impacted users within 24 hours of confirmation.

• Provide mitigation steps or temporary workarounds.

• Issue a post-mortem report with root cause analysis and future prevention measures.

9. Post-Incident Review

After resolution, the IRT will conduct a post-mortem analysis to:

• Identify root causes and lessons learned.

• Improve security measures.

• Update internal documentation and policies as necessary.

10. Continuous Improvement

To prevent future incidents, the company will:

• Conduct regular security audits.

• Implement security training for developers and employees.

• Encourage responsible disclosure through the bug bounty program.