Vulnerability Management Summary
Flowdence reviews vulnerabilities across app code, dependencies, Forge manifests, public documentation surfaces, support systems, and operational tooling.
Review sources
Section titled “Review sources”- Dependency and open-source component scanning, including software composition analysis for Node and Forge apps.
- GitHub security alerts, package advisories, pull-request review, and release checks.
- Product-specific reviews for scopes, egress, secret handling, logging, licensing, and customer-configured upstream integrations.
- Customer, Atlassian, and researcher reports sent through Flowdence support or
[email protected].
Remediation targets
Section titled “Remediation targets”| Severity | Target |
|---|---|
| Critical | 24-72 hours, sooner if actively exploited |
| High | 7 calendar days |
| Medium | 30 calendar days |
| Low | Next planned release or documented risk acceptance |
Targets may be shortened when a vulnerability is actively exploited, affects customer secrets, or requires Atlassian Marketplace notification.
Atlassian Marketplace notification
Section titled “Atlassian Marketplace notification”For Marketplace apps, Flowdence follows Atlassian’s security bug fix, incident notification, and vulnerability notification guidance when a security incident or critical vulnerability requires notification.
Reporting security issues
Section titled “Reporting security issues”Send reports to [email protected] or through the Flowdence support portal. Please include the affected app, tenant/product context, reproduction steps, impact, and sanitized evidence.