Security is at the foremost in how we design our apps. Therefore we would like to mention some of the steps we’ve adopted
Security is very important to the BulkOps app for Jira (Pro) and its users and we're committed to responsible reporting of security-related issues. Please help to report any security issues with this app.
Code Scanning
We regularly scan our code for any potential security vulnerability and we check all dependencies for any impact on vulnerability before committing such changes to the release version. We use a number of tools to perform such scans such as Codacy and http://Snyk.io to monitor for any potential security vulnerability and provide mitigation measures where necessary. We regularly scan our code base to ensure best practice in writing code and mitigating any known threats relating to the use of certain code structure.
Confidentiality
Our users should rest assured that there's no interaction or storage of end-user data. Any information supplied to the app is processed immediately and discarded and no end-user data is stored. Access to log data is restricted to the administrator of the app and all those information are confidential.
Testing
We run automated and user-based tests for any update and upgrade that is done on the app, we use apps such as Travis-ci to perform automated tests when updates are done. We check for vulnerabilities within dependencies to know and understand if it impacts the app in any way or form. If there are impacts, we provide mitigation steps to remedy the issue.
Disaster Recovery
Daily backup of the database is done in privately encrypted servers. This database is used to store log data used in the audit log feature. This database does not store any end-user data or any uploaded file data.
Bug Bounties
We appreciate all efforts taken to keep this app safe for use and we encourage the report of such vulnerability if found. However, the BulkOps app for Jira (Pro) does not run any bug bounty programs at the moment
Disclosing Security Issues
The process we've adopted to take security issues from private to public involves multiple steps. Approximately one week prior to public disclosure we provide a security advisory. For our users, we'll typically perform an update automatically with the fix to the vulnerability as soon as possible once, we've detected it.
High | Medium | Low |
---|---|---|
Remote code execution | Broken authentication | Data exposure |
SQL injection | Cross site scripting (XSS) | Unvalidated redirects |
Cross site request forgery (CSRF) |
Reporting security issues
Please send us a request to support[at]elfapp.nl