Security and privacy

General

External Share for Jira is a secure solution developed by Warsaw Dynamics that stores only Atlassian licensing information and share link configurations on a dedicated server in Warsaw, Poland.
It follows OWASP guidelines and requires READ, WRITE, ACT_AS_USER, ADMIN security scopes to access Jira.
External Share for Jira provides tools and means to control access of both internal and external users, It does not share data with third parties (except Mailgun which is optional), and is regular maintained and updated to ensure security. The add-on is compliant with data privacy laws and regulations, ensuring that user data is kept secure and accessed only by authorized users.

Data Storage and Processing

The add-on stores share link configurations, space, and global share configurations, and a minimal amount of data required to provide the service. All data is located on a dedicated server in a data center in Warsaw, Poland, which is compliant with security and compliance standards provided by OVH Cloud. The add-on does not store or cache Jira page data. Instead, it requests page data from Jira when a share link is accessed, processes it, and sends it to the web browser. This ensures that no sensitive data is ever stored on the add-on's server, providing an additional layer of security.

To learn more about how the configuration is stored you can refer to the following links:

User Access Control

The add-on allows Jira users to create share links and then share them with external users. While this feature enables seamless collaboration between Jira users and external collaborators, it also requires proper management and control of shared links to ensure data security.
The add-on provides tools and means to easily control access of both internal and external users. Permission schemes and hierarchical security layers can be implemented to ensure that only authorized users (internal and external) have access to the shared links.

Email Functionality

The add-on provides an optional email functionality through Mailgun, a transactional email API service. However, users should use their own email server instead of Mailgun if they prefer.
This ensures that sensitive data is not transmitted through a third-party service, further improving the security of the add-on.
Transactional Email API Service For Developers | Mailgun

Third-Party Data Sharing

The add-on does not share data with any third parties, except for Mailgun (which is optional).
This means that all data is kept strictly within the user's control, providing an additional layer of security against potential data breaches.

Maintenance and Updates

As with any software, regular maintenance and updates are important to ensure that the add-on remains secure and functioning properly. It is recommended to keep the add-on up-to-date with the latest security patches and updates to ensure the highest level of security.

Privacy

The add-on should be used in compliance with data privacy laws and regulations. This includes ensuring that user data is kept secure and only accessed by authorized users. The add-on's strong focus on security and data protection means that users can rest assured that their data is safe and secure at all times.

In conclusion, "External Share for Jira" add-on is a highly secure and reliable solution for sharing Jira pages with external users. With a focus on data protection, user access control, and privacy, users can trust that their data is safe and secure at all times.

Security FAQ

Subject	Question	Response	Further Comments
Documentation and resources		Security, Data, and Permissions Information: Privacy and Data Security Statement EULA: EULA (End-user license agreement)
Admin Details	Software / App Name(s)	External Share for Jira
	Vendor Name	Warsaw Dynamics
	Vendor on Marketplace	https://marketplace.atlassian.com/vendors/1220579/warsaw-dynamics
	Vendor Head Office	Bluszczańska 34/12 00-712 Warszawa, Poland
	Bug Bounty Programs	Bugcrowd	Part of the initial invite-only Marketplace Apps Bugcrowd Program from Atlassian: https://www.bugcrowd.com/press-release/bugcrowd-announces-industrys-first-platform-enabled-cybersecurity-assessments-for-marketplaces/ Marketplace Security Bug Bounty Program
	Other programs we are part of	Cloud Fortified apps program	Atlassian Cloud Fortified Apps Program Cloud Fortified Apps is the program for a new designation of apps designed to serve our largest customers and those with more business-critical operating requirements when it comes to apps. For more information: Cloud Fortified Apps Program Atlassian Security Self-Assessment Program The security self-assessment program is a collaboration between Atlassian and Marketplace Partners to increase security awareness and improve security practices. The goal is to increase customer confidence in apps and provide them with necessary information to perform security evaluations. The program involves an annual security self-assessment that Atlassian reviews and approves. During the review process, Atlassian works with the partner to pinpoint vulnerabilities and identify improvements. Once approved, the application expires after one year, and partners must re-apply with updated information each year. For more information: https://developer.atlassian.com/platform/marketplace/security-self-assessment-program/
Development Practices	Development environment	Environments: Development- dedicated for development team Staging - as close as possible to production environment for operational support and pre-release testing Production- protected environment dedicated for production with limited and controlled access
	Development process/philosophy	Agile / Kanban	Jira ticket with analysis and expectation Planning using Jira and Confluence Dedicated branch for change (e.g.: feature/hotfix) Pull request review for changes and merge to release branch. Planning of release Release and hot-run support and monitoring
	Main Development Tools used	Documentation: Confluence Issue tracking: Jira, Git repository: Bitbucket CI/CD: Bitbucket Pipeline Provisioning and Configuration: Bitbucket Pipeline / bash / supervisord
	GIT Branching strategy	GitHub Flow Methodology
	Automated code Reviews	Yes	Typescript instead of JS ESLint / TSLint EditorConfig
	Test Management Platform	Zephyr Scale
	Code Review	Pull Request reviewed by Senior developer
	Release Quality Gates	Pull Request reviewed by senior developer / architect Testing on Development Testing on Staging
	Supply Chain Vulnerability Monitoring	OWASP dependency-check-maven
Processes & Organization	Do you follow OWASP guidelines	Yes
	Do you have a Security Vulnerability Communication Process	Yes
	Is logging available to capture user access activity?	Yes	For security and monitoring reasons, we are collecting activity evidence within our systems, which can be used to rebuild activity in case if it is needed. It is not used for any other reason. Retention policy (related logs are deleted) are automatically deleted in 60 days.
	Do you allow 3rd Party audits	No
	Have you had 3rd Party audits	No
	Has your company ever had a security vulnerability?	Yes	All communicated to us by responsible disclosure and verified & fixed within hours. Listing of past security vulnerabilities can be found in our documentation: Security Patches: 2020-11-25 to 2020-12-03archived
	Have you provided notification to customers affected by severe or critical vulnerabilities	Yes
	Do you provide "Safe harbour" to security researches evaluating you product	Yes	Using the Bug Crowd program. For more information: https://docs.bugcrowd.com/researchers/reporting-managing-submissions/disclosure/disclose-io-and-safe-harbor/
	Does your organization maintain and update an incident response policy?	Yes
	Has your company ever experienced a security breach involving client data?	No
	Was notification provided to state agencies/law enforcement authorities?	N/A
	Do you store customer data?	No	We store only shared link configuration, which is required data to render the shared page. We do not cache or store any data related to the Jira instance (i.e. tickets). All the Jira-related data is processed on the client side.
	Do you have Disaster Recovery plan	No	Our infrastructure consists of PostgreSQL, Ngnix and Java is required to start application. We make whole database (DB) backup every 24 hours. DB backup is stored encrypted in Wasabi storage. Manual infrastructure recovery from DB backup can be done within 2 hours.
App specific Questions	What data does your app submit to you (Old Street Solutions)?		The only data that we store is Atlassian licensing information (SEN, technical contact, etc.). Issue data is used for on the fly processing
	Does your App transfer any data to a 3rd party?	No
	Where is app hosted?	OVH data-center. Warsaw, Poland.	https://www.ovh.com/world/network-and-security-solutions.xml Security and Certifications
	Does your App need "Internet" access?	No for External Share for Jira Server and Data Center
	Can you provide a "Pen" test report for your plugin?	N/A
	Are we allowed to Pen test your App on our instance?	Yes (notification required)	We will allow for pen tests, however it is important that you notify us upfront, as we can get false positive reports, and those can results in functionality limitations because of our proactive reactions.
	Do you store any User passwords?	No	External user can create account in our service. We store salted and hashed password (Argon2)
	Where does your App store it's configuration/data?	PostgreSQL Database on OVH
	How do you send emails?	We use Mailgun	Mailgun’s Commitment to Security and Compliance \| Mailgun https://security.mailgun.com/
	What Security Scopes to access our Confluence or Jira, do you require for the App to function?	READ, WRITE, ACT_AS_USER, ADMIN