Summary: We build and operate our Atlassian Marketplace apps with a security-first approach: least-privilege permissions, secure storage, safe handling of untrusted input, and automated dependency vulnerability scanning.
1. Scope
This policy applies to Atlassian Marketplace apps developed by LND Tech, including (but not limited to) our Jira Cloud Forge apps.
Where a specific app differs (for example, due to product type or features), that app’s documentation and configuration reflect the correct implementation details.
2. Secure Development Practices
- Least privilege: we request and use only the Atlassian/Jira permissions necessary for each app’s intended functionality.
- Authentication & authorization: app actions are authorized according to Atlassian/Forge security models and expected user permissions.
- Input handling: we treat all untrusted inputs as unsafe and validate/sanitize them to reduce injection risks.
- Secrets management: we do not store credentials in code repositories or easily accessible locations. Secrets are handled using platform-supported mechanisms where applicable.
- Atlassian user credentials: we do not request or store Atlassian user passwords or Atlassian user API tokens.
- Logging hygiene: we avoid logging PII, credentials, access tokens, API keys, or other sensitive data.
- Transport security: our apps use TLS (1.2 or higher) for all network communications.
3. Data Protection
Many of our Atlassian apps are built on Atlassian Forge. In those cases:
- We minimize access to Atlassian data to what is required for the app’s features.
- Cached or stored results use Atlassian platform storage and are protected according to Forge’s security model.
- We do not intentionally exfiltrate Atlassian user data to external systems.
4. Vulnerability Management
- Automated scans: we run automated dependency vulnerability checks (for example,
npm audit) before releasing or publishing updates.
- Patch fast: if critical or high vulnerabilities are identified, we remediate them promptly and re-test before resubmission.
- Atlassian notification: we follow Atlassian Marketplace guidance for security bug fixes and will notify Atlassian of relevant security incidents via ECOHELP.
References:
5. Incident Response & Communications
If we become aware of a security incident or a critical vulnerability that may affect customers, we will:
- triage and mitigate the issue,
- coordinate with Atlassian through ECOHELP when required,
- communicate with affected customers when appropriate, following Atlassian’s guidance.
6. How to Report a Security Issue
If you discover a security vulnerability in any of our Atlassian apps, please contact us at:
support@lndtech.eu
Please include as much detail as possible (impacted app, steps to reproduce, expected vs. actual behavior, and any relevant logs or screenshots).