As an Atlassian Partner, we deal with customers who have a variety of applications, running at different versions, deployed in a variety of environments. The combination of factors means that they are exposed to a different risks than how a security issue is evaluated within Atlassian. To better serve our clients, we work to evaluate all new security issues we come across in relation to their specific environmental factors. Earlier this week we were made aware of https://careers.tenable.com/blogs/tenable-blog-3d217a4e-277d-42b7-b180-a04ae4d88426/cve-2019-8451-proof-of-concept-available-for-server-side-request-forgery-ssrf-vulnerability-in-jira by a client of ours who we're in the middle of helping to migrate to AWS. This was an embarrassing moment for us that we were not yet aware of this issue.
To address this, we wanted to find a single source of truth for public vulnerabilities that we could subscribe to. Our initial idea was to set up a Filter Subscription in JAC, however the current model for handling security issues doesn't have a good way for us to JQL for issues made recently public. For example, we cannot use JQL such as
Security was in "Atlassian Staff"
The best thing we have today is
comment ~ "CVSS" and project not in ("Sourcetree For Mac", "Sourcetree for Windows", atlassian-seraph, "Migration Platform", "JIRA Software Cloud", "Confluence Cloud","Jira Service Desk Cloud","Jira Cloud (including JIRA Core)", "Portfolio for JIRA Cloud",Identity,atlassian-http,"Atlassian Cloud",HipChat,"Atlassian Access") and type = bug and updated > -1d
Which works, but also pulls in more than it needs to.
We would love to see some kind of change implemented where we could rely on JAC to be able to tell us if something new has come out in the last few N amount of time.
We're currently evaluating subscribing to NVD and other feeds as well. We would love to hear feedback from Atlassian on how they believe we (or a client admin team) should be handling this.