Support & Downloads

Izymes builds easy-to-use apps for Atlassian applications that boost your productivity, free you from performing repetitive tasks inside Confluence, Jira and Bitbucket and enable you to use your time for what you do best – YOUR job.

Book a Demo

Interested in a 1-on-1 demonstration of Izymes’s products?
Here we will walk you through;

• All features and benefits of the product you are interested in trying.
• How to set up the account and configure the settings.
• Other tips, tricks and best practices.

It will also give us time to answer any questions you may have, or perhaps you just want to have a chat, we love a good chat.
You can schedule a time on the Calendly link below. Talk soon!

Contact Info
HQ Southport
Queensland, Australia
[email protected]
Follow Us

Vulnerability Management Program​

1. Purpose

The purpose of this document is to describe the general approach that Izymes Pty Ltd follows to identify, assess, and address software vulnerabilities. The goal is to support the security, stability, and continuous improvement of our products and related development environments.

This program aims to ensure that potential vulnerabilities are recognized early, appropriately prioritized, and remediated in a consistent and transparent manner.

2. Scope

This Vulnerability Management Program applies to all software products developed or maintained by Izymes Pty Ltd, including both Cloud-based (Atlassian Forge) and On-Premises (Data Center) solutions.

It also covers the internal systems and tools used to develop, test, and deploy these products.

3. Governance and Responsibility

Overall coordination and review of the vulnerability management process are typically overseen by the Technical Lead (or a designated team member responsible for security-related topics).

All team members involved in development, testing, or operations are encouraged to stay familiar with the principles outlined in this document.

4. Objectives

The main objectives of this process include

  • Identify vulnerabilities in code and dependencies
  • Evaluate and prioritize issues according to severity and potential business impact.
  • Remediate vulnerabilities in a timely and traceable way.

5. Tools

The vulnerability management process is supported by a range of tools and automation intended to make detection and remediation efficient and consistent.

Enlarges the table by opening it in a full screen dialogOpen

Static Analysis (SAST)Semgrep and OWASP FindSecBugsIdentifies potential code-level issues and security vulnerabilities during development.
Dependency Scanning (SCA)Snyk, OWASPDetects known vulnerabilities in third-party libraries and open-source components.
Penetration TestingBugcrowd, Bug bounty PEN test programResearchers identify vulnerabilities through targeted black box and grey box penetration testing (attempt to hack the product to showcase vulnerabilities)
Issue TrackingJira SoftwareRecords, prioritizes, and tracks vulnerability-related items.
DocumentationConfluenceMaintains related procedures, reports, and improvement notes.

6. Process Overview

Identification – Tools, Customer, Bug Bounty

Potential vulnerabilities are identified through automated scanning tools (e.g., Snyk, OWASP), code reviews, and, where relevant, external input such as customer feedback.

Bug Bounty Programs

To complement internal security measures, Izymes Pty Ltd may also participate in bug bounty programs when appropriate. The goal is to identify potential vulnerabilities early through independent expertise and to continuously enhance product security.

Triage & Assessment

After a vulnerability is reported, a triage period of about two weeks is generally allocated to review and assess the finding. During this period, the responsible team verifies the report, evaluates its relevance and severity, and determines the most appropriate next steps. Identified issues are classified based on severity (Critical, High, Medium, Low) and potential impact. Critical or high-severity items are typically treated with higher urgency and addressed as hotfixes, while lower-severity findings are scheduled as part of planned releases.

CriticalA vulnerability that allows direct compromise of systems or customer data without requiring user authentication.Immediate security or operational risk.
HighA vulnerability that could compromise security or system through authenticated access.High potential impact on confidentiality or availability.
MediumAn issue that may allow limited access or information disclosure, or affect non-sensitive parts of the system.It may allow limited data access or partial service disruption
LowVulnerabilities with minimal business or operational impact, often requiring local or physical access to exploit.Minimal operational or security impact.
Remediation & Target Fix Timeframes

Once a vulnerability has been verified and prioritized, remediation activities can be planned and tracked through Jira. Fixes are developed and tested in alignment with the company’s established development and quality assurance practices.

The following timeframes serve as general guidance for how vulnerabilities are intended to be addressed based on their potential risk. Actual remediation schedules may depend on system complexity, customer deployment models, and release planning.

SeverityCloud – Target Fix TimeData Center – Target Fix Time
CriticalWithin 4 weeksWithin 12 weeks
HighWithin 6 weeksWithin 12 weeks
MediumWithin 8 weeksWithin 12 weeks
LowWithin 25 weeksWithin 25 weeks
Communication

Izymes Pty Ltd aims to handle communication regarding security vulnerabilities in a transparent and responsible way. The goal is to ensure that customers are informed about relevant updates while maintaining confidentiality and minimizing potential risks. Security-related updates are usually communicated through release notes.

Continuous Improvement

Vulnerability management is an ongoing process. Lessons learned from previous findings, incidents, or customer feedback are regularly reviewed to identify opportunities for process and tool improvements.