Security Bug Fix Policy

Old Street Solutions makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in Old Street Solutions products.


The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.

Security bug fix Service Level Agreement (SLA)

We have defined the following timeframes for fixing security issues in our products:

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 4 weeks of being reported
  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 6 weeks of being reported
  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 8 weeks of being reported

The following critical vulnerabilities resolution policy excludes our Atlassian Cloud hosted products, as these services are always fixed by Old Street Solutions without any additional action from customers.

Critical Vulnerabilities

When a Critical security vulnerability is discovered by Old Street Solutions or reported by a third party, Old Street Solutions will do all of the following:

  • Issue a new, fixed release for the current version of the affected product as soon as possible.
  • It is important to stay on the latest bug fix release for the version of the product you are using (this is best practice).

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, Old Street Solutions will include a fix in the next scheduled release.

You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.


Other information

Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues.

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.