Comment Default Visibility for Jira – Security Statement

Security Statement

Comment Default Visibility for Jira is a Forge app for Jira Cloud. This document describes how the app meets Atlassian Marketplace security requirements and supports the App Security Questionnaire for Forge Apps.

Authentication & Authorization

  • User context: User-initiated actions (e.g. posting a comment) are performed with the current user’s context using asUser(accountId). The app does not act on behalf of users without their context where user attribution is required.
  • Permission checks: Before performing actions that require user-specific permissions (e.g. adding a comment), the app checks permissions via the Forge authorize() API (e.g. authorize().onJiraIssue(issueKey).canAddComments()). Admin-only operations (e.g. reading/saving configuration) are gated by Jira’s ADMINISTER permission via the permissions REST API.
  • No Forge remote: The app does not use Forge remote. All code runs in the Forge runtime; there is no custom backend or external host.
  • No web triggers: The app does not use web triggers.
  • Display conditions: Where used, display conditions are supplemented by server-side permission checks (e.g. admin resolver checks isJiraAdmin() before returning config).

Data & Egress

  • No external egress: The app does not send data to any host outside the Atlassian platform. All requests are to Jira REST APIs within the customer’s Jira Cloud instance.
  • Data storage: Configuration (default scope, per-project and per-component overrides) is stored only in Forge app storage. No customer data is sent to or stored on external systems.
  • No credential collection: The app does not collect or store Atlassian user credentials (passwords or API tokens). It does not require or use Personal Access Tokens (PATs). Authentication is handled by the Forge platform and Jira.

Secrets & Sensitive Data

  • No secrets in code: The app does not hardcode or expose API keys, tokens, or other secrets in source code, URLs, or logs. No secrets are stored in the repository.
  • No sensitive logging: The app does not log PII, credentials, access tokens, or API keys in Forge logs.

Application Security

  • Input validation: All untrusted inputs (e.g. issue key, project key, group ID, component ID) are validated and constrained (type, format, length) before use in API calls or storage (e.g. isValidIssueKey, isValidProjectKey, isValidGroupId). This reduces risk of injection and malformed requests.
  • Least privilege: The app requests only the scopes needed for its documented functionality. Each scope and the use of impersonation are documented in the app documentation.

Dependencies & Vulnerabilities

  • Vulnerability checks: Third-party dependencies are reviewed for known vulnerabilities using npm audit. The project is maintained so that critical and high-severity issues are addressed before release.
  • Updates: Dependencies are kept up to date; security advisories and dependency updates are applied in a timely manner.
  • Policy: We follow the Security Bug Fix Policy for Marketplace Apps and will notify Atlassian and affected customers in case of a security incident or critical vulnerability, in line with App Security Incident Management Guidelines.

Security Contact

At least one security contact is registered for this app and has an account on ecosystem.atlassian.net so they can receive and respond to Atlassian Marketplace Security (AMS) tickets and vulnerability reports.

Privacy & Compliance

This security statement is intended for Marketplace reviewers and customers. When completing the Marketplace Privacy & Security tab or App Security Questionnaire, use this document and the app’s permission justification (scope documentation) as references.