Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Trying to build a security SLA

Hi, I am looking for some collective wisdom to build a security SLA report/dashboard. 
We already have a CVSS score field in our JIRA data ranging from 0-10.
The first step would be to create a criticality field such as follows:

If CVSS >= 9.0 -> Critical

If CVSS between 7.0 - 8.9 -> High

If CVSS between 4.0 - 6.9 -> Medium

If CVSS between 0.1 - 3.9 -> Low

If CVSS = 0 -> None

The next step would be then to compare the criticality field against our SLA

Critical = 14 days

High = 30 days

Medium = 60 days

Low = 90 days

Not sure the best way to do this.


Finally, create a report that shows some sort of traffic light status (meet(green), fail(red)) for all non released SLA items.

I would think this has been done before, but my search didn't bear any fruit. 

Any ideas?

4 answers

1 vote
Brant Schroeder Community Leader Aug 08, 2022

@Derek Hill You would just build the SLA so it is based on the CVSS field.  So if the CVSS field is >= 9.0 the SLA would be 14 days.  You can have a single SLA that evaluates this field and applies the SLA time based on the CVSS value.  There are build in SLA reports that you can then use to see breached vs met and you could make a custom report to show all breached vs met based on the release.

Brant Schroeder Community Leader Aug 15, 2022

@Derek Hill SLA is only delivered by Atlassian in Jira Service Management.

I ended up using the Time for SLA plugin. After some trial and error I have it working the way I want it to. It is not perfect, but good enough for my particular needs. Thanks everyone.

Thank you both. I will try your suggestions and report back.

0 votes

@Derek Hill Here are a few documents that will help you out detailing @Brant Schroeder recommendations:

Setting up SLAs:


Reporting on SLAs:

cheers -dewitt

We are running JIRA server, I am not seeing anything related to SLA's, is that feature there or only present in Cloud?

It looks like what you suggested is a different product which we don't have. I am trying to figure out how to make this work with Jira Software (Core).

Does this require a 3rd party plugin?

Suggest an answer

Log in or Sign up to answer