Summary: Workflow Flows for Jira is built with a security-first approach: Forge-hosted execution, least-privilege scopes, user permission checks before app-context reads, secure handling of inputs, and dependency vulnerability scanning.
1. Scope
This policy applies to Workflow Flows for Jira, a Jira Cloud app developed by LND Tech and built on Atlassian Forge.
The app provides issue status-flow timeline insights and project-level admin controls, and does not modify Jira issue data.
2. Authentication & Authorization
- Forge identity model: app requests run under Atlassian Forge security boundaries.
- User permission checks: before app-context Jira reads, the app checks user Jira permissions using
asUser() and Jira permissions APIs.
- App-context reads: after permission checks, Jira data retrieval runs with
asApp() for required app functionality.
- No credential collection: we do not request or store Atlassian user passwords or Atlassian user API tokens.
3. Least Privilege & Data Handling
Workflow Flows uses only the scopes required for its features:
read:jira-work for issue/status and project read operations.storage:app for app settings (enabled projects and threshold configuration).
Data minimization principles applied:
- Read-only access to Jira data needed for status-flow timeline and admin settings.
- No data egress to external/non-Atlassian hosts for app functionality.
- No intentional exfiltration of Atlassian customer data to external systems.
4. Secure Coding Controls
- Input validation: resolver payloads are validated for expected types and bounds (for example, array checks, non-negative pagination bounds, non-empty issue keys).
- URL safety: Jira API URLs are built using Forge
route templates instead of raw path concatenation.
- Secret hygiene: we do not keep secrets in source code, URLs, or public repositories.
- Logging hygiene: we avoid logging PII, credentials, tokens, and API keys.
- Transport security: communications use TLS through Atlassian platform infrastructure.
5. Vulnerability Management
- Automated scans: we run automated dependency vulnerability checks (for example,
npm audit) before releasing or publishing updates.
- Patch fast: if critical or high vulnerabilities are identified, we remediate them promptly and re-test before resubmission.
- Atlassian notification: we follow Atlassian Marketplace guidance for security bug fixes and will notify Atlassian of relevant security incidents via ECOHELP.
References:
6. Incident Response & Communications
If we become aware of a security incident or a critical vulnerability that may affect customers, we will:
- triage and mitigate the issue,
- coordinate with Atlassian through ECOHELP when required,
- communicate with affected customers when appropriate, following Atlassian’s guidance.
7. How to Report a Security Issue
If you discover a security vulnerability in any of our Atlassian apps, please contact us at:
support@lndtech.eu
Please include as much detail as possible (impacted app, steps to reproduce, expected vs. actual behavior, and any relevant logs or screenshots).