Last updated Feb 26, 2025

Security Questionnaires for Marketplace Apps

As part of uplifting the security baseline for all Marketplace apps, we are launching a new set of security questions for Marketplace partners to complete during the app onboarding and app review processes. Below are the questionnaires for each app type.

Review Criteria:

We expect all apps to adhere to Atlassian app development standards. Refer to the Security Requirements: https://developer.atlassian.com/platform/marketplace/security-requirements

The following review signals indicates potential actions for responses against Atlassian standards.
IconDescription
ℹ️Informational: No action needed.
Does not block the app from listing on the Marketplace.
⚠️Warning: Indicates a security concern and we will provide a recommendation.
Does not block the app from listing on the Marketplace.
🚫Fail: Indicates a security violation that must be addressed.
Blocks the app from listing on the Marketplace and the respective app approval/review ticket will be rejected.

Security Questionnaire for Forge Apps

CategoryQuestionsReview Signal
Authentication & Authorization1. Does your Forge app functionality include user interactions? (Yes/No)ℹ️
a. If yes, does your app use asUser() method where applicable for actions performed by the user? (Yes/No)⚠️
2. Does your app use Forge remote? (Yes/No)ℹ️
a. If yes, does your remote host validate authentication information from the Forge Invocation Token (FIT)? (Yes/No)🚫
b. If yes, does your remote host execute user actions that require user context and appropriately validate whether the user has necessary permissions? (Yes/No/Not Applicable)🚫
3. Before invoking calls using asApp() on actions that require user-specific permissions, do you ensure that the user has necessary permissions by calling the permissions REST APIs? (Y/N/Not Applicable)🚫
4. Does your Forge app use web triggers? (Yes/No)ℹ️
a. If yes, do you perform authentication checks on the web trigger when invoking critical functions? (Yes/No)⚠️
5. Does your Forge app use display conditions? (Yes/No)ℹ️
a. If yes, do you rely solely on these conditions and not check user permissions in your code? (Yes/No)⚠️
Data Security6. Does your Forge app egress data to external hosts? (Yes/No)ℹ️
a. If yes, does the egress domains include *.com or * in the list? (Yes/No)🚫
b. If yes, does your egress domain/remote host support TLS versions below 1.2? (Yes/No)🚫
c. If yes, do you plan to renew the egress domain as well as its cert when they expire? (Yes/No)⚠️
d. If yes, did you implement controls to safeguard customer data stored at rest on the remote host? (Yes/No)⚠️
i. If yes, please list all the controls in place. (Open text)ℹ️
7. Does your Forge app adhere to the principle of least privilege by ensuring that the app's scope is limited to only the permissions necessary for its functionality? (Yes/No)⚠️
8. Does your app log sensitive information (such as PII, credentials, access tokens, or API keys) in Forge logs? (Yes/No)⚠️
Application Security9. Have you implemented controls in the app to validate and sanitize all user inputs in order to mitigate vulnerabilities related to injection attacks? (Yes/No)⚠️
a. If yes, please explain the input validations implemented on user inputs / URLs if applicable. (Open text)ℹ️
10. Did you review the app’s 3rd party dependencies for vulnerabilities using automated tools? and, do you plan to keep these dependencies up to date? (Yes/No)🚫
Secrets Management11. Does your app collect Atlassian user account credentials, such as passwords or API tokens? (Yes/No)🚫
12. Does your app collect any 3rd party service's credentials or tokens? (Yes/No)ℹ️
a. If yes, do you store them in Forge storage with encryption? (Yes/No)ℹ️
i. If not, do you store them externally? (Yes/No)ℹ️
13. Does your app expose any secrets in plain text in accessible locations like URLs, source code, or code repositories? (Yes/No)🚫
Vulnerability Management14. Do you perform vulnerability scans and review results? (Yes/No)ℹ️
a. If yes, Please select the type of scans performed:
1. Software composition analysis (SCA)
2. Static application security testing (SAST)
3. Dynamic application security testing (DAST)
ℹ️
15. Have you read our Marketplace Security Bug Fix policy? (Yes/No)ℹ️
16. Do you plan to notify customers and Atlassian in case of a security incident or a critical vulnerability on your app? (Yes/No)ℹ️
17. Have you identified a security contact for the app and created an account on ecosystem.atlassian.net? (Yes/No)ℹ️

Security Questionnaire for Connect Apps

CategoryQuestionsReview Signal
Authentication & Authorization1. Does your app use Connect JWT for authentication? (Yes/No)ℹ️
a. If no, please explain how user actions are authenticated. (Open text)⚠️
b. If yes, does your app validate user permissions on all endpoints through permissions REST APIs? (Yes/No)🚫
c. If yes, does the app validate incoming JWTs authenticity (including token signature & expiration) on all endpoints? (Yes/No)🚫
d. If yes, does your app accept context JWTs on module or lifecycle endpoints? (Yes/No)⚠️
2. Does your app validate signed install and uninstall lifecycle hooks? (Yes/No)🚫
3. Does your app require ADMIN or ACT_AS_USER roles? (Yes/No)ℹ️
a. If yes, could you please explain the necessity of these roles for your application? (Open text)ℹ️
4. Is anonymous access allowed on your app? (Yes/No)ℹ️
a. If yes, can anonymous users access non-public/UGC data through any of the endpoints? (Yes/No)🚫
5. Does your app use webhooks? (Yes/No)ℹ️
a. If yes, does your app validate the authenticity of the webhook POST request received via JWT tokens in Authorization header? (Yes/No)⚠️
6. Does your app use Connect conditions? (Yes/No)ℹ️
a. If yes, do you rely solely on these conditions and not check user permissions in your code? (Yes/No)⚠️
Data Security7. Does your app use Entity or App properties to store sensitive information? (Yes/No)🚫
8. Have you established measures to protect customer data both at rest and in transit on the app's server? (Yes/No)⚠️
a. If yes, please provide a detailed list of these controls. (Open text)ℹ️
9. Are all communications with the app server encrypted over TLS 1.2 or above? (Yes/No)🚫
10. Is Connect shared secret encrypted at rest and securely stored? (Yes/No)⚠️
a. If yes, please provide a detailed list of controls. (Open text)ℹ️
11. Does your app adhere to the principle of least privilege by ensuring that the app's scope is limited to only the permissions necessary for its functionality? (Yes/No)⚠️
12. Does your app log sensitive information (such as PII, credentials, access tokens, or API keys) in application logs? (Yes/No)⚠️
Application Security13. Does the app validate and sanitize all user inputs in order to mitigate vulnerabilities related to injection attacks? (Yes/No)⚠️
a. If yes, please explain the input validations implemented. (Open text)ℹ️
14. Does your app use template engines? (Yes/No)ℹ️
a. If yes, have you implemented controls to restrict template engine from executing dangerous functions there by preventing harmful code execution? (Yes/No)⚠️
15. Do you own the domain or subdomain on which your app is hosted? (Yes/No)ℹ️
a. If yes, do you plan to maintain the domain/certificate validity and renew them when they expire? (Yes/No)⚠️
16. Did you review the app's 3rd party dependencies for vulnerabilities using automated tools? (Yes/No)🚫
17. Did you configure a Content Security Policy (CSP) for your app? (Yes/No)ℹ️
a. If yes, did you include unsafe-inline or unsafe-eval directives in script-src? (Yes/No)⚠️
Secrets Management18. Does your app collect Atlassian account credentials, such as passwords or API tokens? (Yes/No)🚫
19. Does your app collect any 3rd party service's credentials or tokens? (Yes/No)ℹ️
a. If yes, please explain the controls implemented to safeguard collected secrets.ℹ️
20. Does your app expose any secrets in plain text in easily accessible locations like URLs, source code, or code repositories? (Yes/No)🚫
Vulnerability Management21. Do you perform vulnerability scans and review results? (Yes/No)ℹ️
a. If yes, Please select the type of scans performed:
1. Software composition analysis (SCA)
2. Static application security testing (SAST)
3. Dynamic application security testing (DAST)
ℹ️
22. Have you read our Marketplace Security Bug Fix policy? (Yes/No)ℹ️
23. Do you plan to notify customers and Atlassian in case of a security incident? (Yes/No)ℹ️
24. Have you identified a security contact for the app and created an account on ecosystem.atlassian.net? (Yes/No)ℹ️

Security Questionnaire for 3LO Apps

CategoryQuestionsReview Signal
Data Security1. Does your app encrypt and securely store OAuth client secret, access and refresh tokens on the server side? (Yes/No)🚫
2. Does your app collect Atlassian account credentials, such as passwords or API tokens? (Yes/No)🚫
3. Are the app's requested scopes limited to only the permissions necessary for its functionality? (Yes/No)⚠️
4. Does your app log direct Personally Identifiable Information (PII) or OAuth tokens, such as client secrets, access tokens, or refresh tokens in application logs? (Yes/No)⚠️
5. Did you implement controls to safeguard customer data at rest on the app's server? (Yes/No/Not Applicable)⚠️
a. If yes, what is your retention policy for customer data stored on the app's server? (Open text)ℹ️
6. Does your app encrypt all communications over TLS 1.2 or above? (Yes/No)🚫
Application Security7. Does your app set a unique state parameter to ensure the integrity of authorization and callback requests? (Yes/No)🚫
a. If yes, does your app appropriately validate the state parameter to prevent replay attacks? (Yes/No)🚫
i. If yes, please explain the validations implemented. (Open text)ℹ️
Vulnerability Management8. Do you perform vulnerability scans and review results? (Yes/No)ℹ️
a. If yes, Please select the type of scans performed:
1. Software composition analysis (SCA)
2. Static application security testing (SAST)
3. Dynamic application security testing (DAST)
ℹ️
9. Have you read our Marketplace Security Bug Fix policy? (Yes/No)ℹ️
10. Do you plan to notify customers and Atlassian in case of a security incident or a critical vulnerability on your app? (Yes/No)ℹ️
11. Have you identified a security contact for the app and created an account on ecosystem.atlassian.net? (Yes/No)ℹ️

Security Questionnaire for DC Apps

CategoryQuestionsReview Signal
Data Security1. Does your app allow UnrestrictedAccess on any of the endpoints? (Yes/No)ℹ️
a. If yes, does the endpoint perform user actions or respond with dynamic user/app data? (Yes/No)⚠️
i. If yes, please provide more details on why this is allowed. (Open text)🚫
2. Does this app send user data outside of the host instance? (Yes/No)ℹ️
a. Do you own or manage this external domain or third-party service to which the app sends data? (Yes/No)ℹ️
b. Does this data being transferred contain any sensitive data such as PII? (Yes/No)ℹ️
i. If yes, please provide more details on why this information is egressed and how they are protected. (Open text)ℹ️
3. Does your app store sensitive data such as user credentials, PII, financial or proprietary information? (Yes/No)ℹ️
a. If yes, is this information sufficiently protected using access control mechanism that verifies user permissions before allowing access? (Yes/No)⚠️
Application Security4. Does your app pass request arguments in any way to external processes (e.g. Git)? (Yes/No)ℹ️
a. If yes, is the input properly checked and sanitized to prevent leaking arbitrary data on the file system? (Yes/No)⚠️
i. If yes, please provide more details on how it was implemented. (Open text)ℹ️
5. Does your app block forged requests on all state-changing requests to ensure security against Cross-Site Request Forgery (CSRF) attacks? (Yes/No)⚠️
6. Did you review the app's 3rd party/open-source dependencies for vulnerabilities using automated tools? (Yes/No)🚫
7. Does the app validate and sanitize all user inputs to mitigate injection attacks like XSS or SQL Injections? (Yes/No)⚠️
8. Does the app validate URLs or external resources to prevent unauthorized requests and mitigate Server-Side Request Forgery (SSRF) vulnerabilities? (Yes/No/Not Applicable)⚠️
a. If yes, do the outbound requests from your app honor the host product's IP allowlist? (Yes/No)⚠️
9. Does your app instantiate its own template engine instead of using the one provided by the product? (Yes/No/Not Applicable)🚫
10. Does your app implement serialization and deserialization of objects? (Yes/No/Not Applicable)ℹ️
a. If yes, does your app ensure that objects are securely deserialized ex: using wrappers and prevent arbitrary deserialization? (Yes/No/Not Applicable)🚫
Secrets Management11. Does your app collect Atlassian account credentials, such as user passwords or API tokens? (Yes/No)ℹ️
a. If yes, do you egress the credentials to external servers? (Yes/No)⚠️
b. If yes, please provide a brief explanation of the reason for egress. (Open text)🚫
12. Does your app expose any secrets in plain-text within the app artifact (JAR, OBR) or source code? (Yes/No)🚫
Vulnerability Management13. Do you perform vulnerability scans and review results? (Yes/No)ℹ️
a. If yes, Please select the type of scans performed:
1. Software composition analysis (SCA)
2. Static application security testing (SAST)
3. Dynamic application security testing (DAST)
ℹ️
14. Have you read our Marketplace Security Bug Fix policy? (Yes/No)ℹ️
15. Do you plan to notify customers and Atlassian in case of a security incident or a critical vulnerability on your app? (Yes/No)ℹ️
16. Have you identified a security contact for the app and created an account on ecosystem.atlassian.net? (Yes/No)ℹ️

Rate this page: