# Vulnerability Disclosure Policy **Version**: 4.4.2 **Owner**: FirstTry Solutions **Last Updated**: 2026-02-26 **Review Cycle**: Annual **Doc ID**: FT-TRUST-003 --- ## 1. Purpose This policy establishes the framework for responsible disclosure of security vulnerabilities in FirstTry. --- ## 2. Scope This policy applies to vulnerabilities in: - FirstTry source code - FirstTry dependencies (via npm audit) - FirstTry build and deployment infrastructure - FirstTry documentation and security tooling This policy does NOT address: - Atlassian Forge platform vulnerabilities (report to Atlassian) - Jira Cloud API vulnerabilities (report to Atlassian) - Customer infrastructure or configuration issues (report to customer's IT) --- ## 3. Process ### Step 1: Initial Report Submit vulnerability to [security.contact@firsttry.run](mailto:security.contact@firsttry.run) with: - Title (one-sentence summary) - Description (what is broken) - Steps to reproduce (if applicable) - Impact (what can an attacker do) - Suggested fix (if you have one) Include your contact information (email, phone if available). ### Step 2: Acknowledgement Within 24 business hours, we will: - Confirm receipt of report - Assign severity level (Critical/High/Medium/Low) - Provide expected timeline for fix and disclosure ### Step 3: Investigation and Development - Confirm vulnerability details - Develop patch or mitigation - Conduct testing - Prepare release notes **Timeline**: - Critical: Target fix within 7 days - High: Target fix within 14 days - Medium: Target fix within 30 days - Low: Fix in next regular release ### Step 4: Coordinated Release - Release patch - Publish security advisory (CHANGELOG.md) - Notify customers via email (if pre-registered) - 30-day embargo: Researcher may publish details after fix is released ### Step 5: Public Disclosure After fix is released publicly: - We may publish advisory in Atlassian Security Center or github.com/Firsttry-Solutions/disclosures - Researcher is free to publish findings after patch is live - Credit given to reporter (if requested) --- ## 4. Embargo Period **Embargo timeline**: - **Private phase**: Until fix is released (typically 7–30 days depending on severity) - **Public phase**: Researcher may disclose 30 days after public patch release **Exceptions**: - If fix is not forthcoming after 90 days, researcher may disclose publicly (after notifying us) - If 0-day is actively exploited, timeline may be shortened --- ## 5. Important Guidelines ### Do's ✅ Report privately to security.contact@firsttry.run ✅ Give us time to develop and test fixes ✅ Verify vulnerability before reporting (reduce false positives) ✅ Provide clear reproduction steps ### Don'ts ❌ Report vulnerabilities in public (GitHub issues, forums, etc.) ❌ Email security findings to personal inboxes without confidential header ❌ Exploit vulnerabilities beyond proof-of-concept ❌ Access other customers' data or Jira sites ❌ Violate CFAA or other applicable laws ❌ Disclose before patch is public --- ## 6. Safe Harbor Researchers who report in good faith and follow this policy will not be pursued legally for: - Accessing the vulnerability - Notifying FirstTry - Good-faith testing to confirm the issue --- ## 7. Non-Eligible Vulnerabilities We do not reward reports for: - Spelling/grammar mistakes - Missing rate limiting on non-sensitive endpoints - Self-XSS (attacks that exploit yourself) - CSRF on admin-only functions without user interaction - Brute-force issues that can be mitigated by rate limiting - Known issues already in our publicly documented limitations --- ## 8. Credits and Attribution If you wish to be credited: 1. Mention in your initial report (optional) 2. We will include your name/pseudonym in security advisory and CHANGELOG 3. You may request a link to your security research page or profile --- ## 9. Contact and Escalation **Primary**: [security.contact@firsttry.run](mailto:security.contact@firsttry.run) **Escalation** (if no response after 5 days): - Contact: [security.contact@firsttry.run](mailto:security.contact@firsttry.run) - Subject: "[SECURITY ESCALATION] Vulnerability Report - " --- ## 10. References - [SECURITY_CONTACT.md](SECURITY_CONTACT.md): Primary security contact - [INCIDENT_RESPONSE_PLAN.md](../operations/INCIDENT_RESPONSE_PLAN.md): Severity and response SLA - [CHANGELOG.md](../CHANGELOG.md): Security updates published here