Vulnerability Disclosure Policy

1. Purpose¶

This policy establishes the framework for responsible disclosure of security vulnerabilities in FirstTry.

2. Scope¶

This policy applies to vulnerabilities in:

• FirstTry source code
• FirstTry dependencies (via npm audit)
• FirstTry build and deployment infrastructure
• FirstTry documentation and security tooling

This policy does NOT address:

• Atlassian Forge platform vulnerabilities (report to Atlassian)
• Jira Cloud API vulnerabilities (report to Atlassian)
• Customer infrastructure or configuration issues (report to customer's IT)

3. Process¶

Step 1: Initial Report¶

Submit vulnerability to security.contact@firsttry.run with:

• Title (one-sentence summary)
• Description (what is broken)
• Steps to reproduce (if applicable)
• Impact (what can an attacker do)
• Suggested fix (if you have one)

Include your contact information (email, phone if available).

Step 2: Acknowledgement¶

Within 24 business hours, we will:

• Confirm receipt of report
• Assign severity level (Critical/High/Medium/Low)
• Provide expected timeline for fix and disclosure

Step 3: Investigation and Development¶

• Confirm vulnerability details
• Develop patch or mitigation
• Conduct testing
• Prepare release notes

Timeline:

• Critical: Target fix within 7 days
• High: Target fix within 14 days
• Medium: Target fix within 30 days
• Low: Fix in next regular release

Step 4: Coordinated Release¶

• Release patch
• Publish security advisory (CHANGELOG.md)
• Notify customers via email (if pre-registered)
• 30-day embargo: Researcher may publish details after fix is released

Step 5: Public Disclosure¶

After fix is released publicly:

• We may publish advisory in Atlassian Security Center or github.com/Firsttry-Solutions/disclosures
• Researcher is free to publish findings after patch is live
• Credit given to reporter (if requested)

4. Embargo Period¶

Embargo timeline:

• Private phase: Until fix is released (typically 7–30 days depending on severity)
• Public phase: Researcher may disclose 30 days after public patch release

Exceptions:

• If fix is not forthcoming after 90 days, researcher may disclose publicly (after notifying us)
• If 0-day is actively exploited, timeline may be shortened

5. Important Guidelines¶

Do's¶

✅ Report privately to security.contact@firsttry.run
✅ Give us time to develop and test fixes
✅ Verify vulnerability before reporting (reduce false positives)
✅ Provide clear reproduction steps

Don'ts¶

❌ Report vulnerabilities in public (GitHub issues, forums, etc.)
❌ Email security findings to personal inboxes without confidential header
❌ Exploit vulnerabilities beyond proof-of-concept
❌ Access other customers' data or Jira sites
❌ Violate CFAA or other applicable laws
❌ Disclose before patch is public

6. Safe Harbor¶

Researchers who report in good faith and follow this policy will not be pursued legally for:

• Accessing the vulnerability
• Notifying FirstTry
• Good-faith testing to confirm the issue

7. Non-Eligible Vulnerabilities¶

We do not reward reports for:

• Spelling/grammar mistakes
• Missing rate limiting on non-sensitive endpoints
• Self-XSS (attacks that exploit yourself)
• CSRF on admin-only functions without user interaction
• Brute-force issues that can be mitigated by rate limiting
• Known issues already in our publicly documented limitations

8. Credits and Attribution¶

If you wish to be credited:

1. Mention in your initial report (optional)
2. We will include your name/pseudonym in security advisory and CHANGELOG
3. You may request a link to your security research page or profile

9. Contact and Escalation¶

Primary: security.contact@firsttry.run

Escalation (if no response after 5 days):

• Contact: security.contact@firsttry.run
• Subject: "[SECURITY ESCALATION] Vulnerability Report - "

10. References¶

• SECURITY_CONTACT.md: Primary security contact
• INCIDENT_RESPONSE_PLAN.md: Severity and response SLA
• CHANGELOG.md: Security updates published here