Rate this page:
The security requirements for cloud apps are a combination of security best practices and application security defenses that prevent security vulnerabilities from being introduced in applications.
Our goal is to create a high level of trust and security in the Marketplace for our users. We use the requirements as the first step to improve security in Marketplace apps. It isn't our intention to place onerous security burdens on Marketplace Partners or create any surprises. Instead, we want to work with Marketplace Partners and provide the resources necessary to achieve these mutually beneficial security goals.
The list of requirements reflects common security issues affecting Marketplace cloud apps. These are verifiable defenses, which we can validate manually or automatically.
We intend to update security requirements annually in April to make sure our policies reflect the latest vulnerabilities, technology changes, and customer needs. The updated requirements will be effective by the end of October in order to give partners and developers enough time to make changes.
When Atlassian detects that an application is not meeting a security requirement, we will create a vulnerability ticket in our vulnerability management system, Atlassian Marketplace Security (AMS). From there, we will track your progress in addressing the vulnerability, and provide support, when needed.
The current scope of these requirements are Connect apps, Forge apps, Forge apps that egress data, and Trello Apps (Power-Ups).
You are responsible to ensure encryption of data at rest for any data that is not stored in the Atlassian infrastructure. This includes Forge apps that egress data to external data stores. View more on the data storage of Forge's shared responsibility model here. At a minimum, We require you to enable Full Disk Encryption (disk level) on your server to ensure at-rest encryption is enabled for End User Data stored outside of the Atlassian product or user’s browser and they have some level of protection. If the data is stored in managed services like S3, this requirement asks you to enable at least the default encryptions offered by any managed service. The encryption requirement is met for any data stored inside the Atlassian product (e.g. entity/content properties).
No. If an app’s authentication type is set to none in the app descriptor, and if all endpoints serve only static content, then this requirement does not apply.
Yes. Apps cannot collect or store credentials belonging to Atlassian user accounts, such as user passwords or user API tokens. When apps utilize Atlassian API tokens, it undermines several of the trust and security controls that Atlassian has in place to protect customers and partners. For example, in case of an account compromise, it is extremely difficult for Atlassian to identify that the REST API activity is originating from a specific app instead of from a specific customer.
In instances where a product REST API does not support JWT authentication, you may contact us. We will work internally to add JWT authentication. We will not create a vulnerability ticket in these instances.
Security requirements are mandatory defenses that apps must implement. The Security Guidelines are recommendations to improve the security of your app: they are not mandatory.
Yes. All cloud apps must meet the security requirements. This includes free apps.
No. Once the security requirements are met, the app can be relisted on the Marketplace.
You can use open-source tools to check if your app meets the requirements. Please refer to Additional Information: Security requirements for advice on how to check whether your app is compliant.
If the workaround mitigates the security vulnerability, then you will not be penalized. The Atlassian security team will evaluate this on a case-by-case basis. Refer to security bug fix policy to learn more about the process.
Forge has role-based access controls as seen in our Security Practices trust centre. However, Atlassian does not provide or enforce role-based access controls for partners building Forge apps.
You will have access to UGC/Personally Identifiable Information (PII), which is controlled and declared through scopes and permissions in the Forge manifest/Connect descriptor. However, you are still responsible for cleaning up anything that is stored outside of the Atlassian systems from these responses.
If you poll us at least every 7 days, you should be able to process deleted accounts within the timeframes required by GDPR (2-4 weeks). View User privacy guide for more information.
The requirements do not impact the listing process. Apps will not be tested prior to listing but are subject to continuous review by the Atlassian security team. Any security gaps identified will be addressed by following the security bug fix policy.
If you have any questions or feedback about the security requirements, please use the "Give docs feedback" provided above.
Rate this page: