Common use of Vulnerability Testing Clause in Contracts

Vulnerability Testing. Atlassian conducts internal vulnerability testing, as described here. This includes our bug bounty program. We make the results of these internal tests publicly available and commit to making bug fixes in line with our Security Bug Fix Policy. b) Customer may, either itself or through an independent third party (who has entered into confidentiality obligations with Atlassian), perform its own vulnerability testing of its Cloud Products in accordance with the Security Test Rules. Customer may report any vulnerabilities impacting the Cloud Products to Atlassian in accordance with the procedures set forth in the Security Test Rules. c) Atlassian will use commercially reasonable efforts to address identified security vulnerabilities in our Cloud Products and our infrastructure in accordance with the Security Bug Fix Policy. The parties acknowledge that Atlassian may update the Security Bug Fix Policy from time to time in its discretion, provided such updates do not result in a material derogation of the Security Bug Fix Policy. Measures for user identification and authorisation Atlassian cloud users can authenticate using username and password, or external IdPs (incl. via XXXX, Google, Microsoft and Apple). All credentials are hosted in the application database, which is encrypted at rest. Passwords are stored using a secure hash + salt algorithm. Administrators are able to configure and enforce password complexity requirements for managed accounts via Atlassian Access: xxxxx://xxxxxxx.xxxxxxxxx.xxx/security-and-access-policies/docs/manage-your-password-policy/. Administrators are also able to enforce SSO via Atlassian Access. Measures for the protection of data during transmission See the item above titled “Measures of pseudonymisation and encryption of data“ Measures for the protection of data during storage Data Hosting Facilities Atlassian will, no less frequently than annually, request assurances (e.g., in the form of an independent third party audit report and vendor security evaluations) from its data hosting providers that store or process Customer Data that: a) such data hosting provider’s facilities are secured in an access-controlled location and protected from unauthorized access, damage, and interference; b) such data hosting provider’s facilities employ physical security appropriate to the classification of the assets and information being managed; and

Vulnerability Testing. Atlassian conducts internal vulnerability testing, as described here. This includes our bug bounty program. We make the results of these internal tests publicly available and commit to making bug fixes in line with our Security Bug Fix Policy. b) Customer may, either itself or through an independent third party (who has entered into confidentiality obligations with Atlassian), perform its own vulnerability testing of its Cloud Products in accordance with the Security Test Rules. Customer may report any vulnerabilities impacting the Cloud Products to Atlassian in accordance with the procedures set forth in the Security Test Rules. c) Atlassian will use commercially reasonable efforts to address identified security vulnerabilities in our Cloud Products and our infrastructure in accordance with the Security Bug Fix Policy. The parties acknowledge that Atlassian may update the Security Bug Fix Policy from time to time in its discretion, provided such updates do not result in a material derogation of the Security Bug Fix Policy. Measures for user identification and authorisation Atlassian cloud users can authenticate using username and password, or external IdPs (incl. via XXXX, Google, Microsoft and Apple). All credentials are hosted in the application database, which is encrypted at rest. Passwords are stored using a secure hash + salt algorithm. Administrators are able to configure and enforce password complexity requirements for managed accounts via Atlassian Access: xxxxx://xxxxxxx.xxxxxxxxx.xxx/security-and-access-policies/docs/manage-your-password-policy/. Administrators are also able to enforce SSO via Atlassian Access. Measures for the protection of data during transmission See the item above titled “Measures of pseudonymisation and encryption iteMmeasaurebs oof vpseeudotnymiistatlioneadnd en“cryption of data“ Measures for the protection of data during storage Data Hosting Facilities Atlassian will, no less frequently than annually, request assurances (e.g., in the form of an independent third party audit report and vendor security evaluations) from its data hosting providers that store or process Customer Data that: a) such data hosting provider’s facilities are secured in an access-controlled location and provider’-csontrofllead clociatlioniatndi protected from unauthorized access, damage, and interference; b) such data hosting provider’s facilities employ physical security appropriate to the facilit classification of the assets and information being managed; and