Scope

This policy applies to the Release Planning for Jira repository and its released Forge app artifacts.

Supported Versions

Security fixes are provided for the most recent maintained release line.

Reporting a Vulnerability

If you believe you found a security vulnerability, please use one of these channels:

1. Preferred: Open a private report using GitHub Security Advisories for this repository.

2. If private reporting is not available, open a standard GitHub issue and include only non-sensitive, high-level details.

When reporting, include:

• A short description of the suspected issue.

• Affected component(s) and version/commit, if known.

• Reproduction steps using sanitized or synthetic data.

• The potential impact.

Coordinated Disclosure

To protect users, please do not publicly disclose exploit details until maintainers confirm a fix is available.

What to Avoid in Reports

To reduce risk and prevent accidental exposure, do not include:

• Secrets, tokens, credentials, or API keys.

• Customer-identifying data or private Atlassian tenant details.

• Full exploit payloads that could be reused against production systems.

Response Expectations

Maintainers will:

• Acknowledge receipt of a security report as soon as practical.

• Triage and validate the report.

• Communicate status updates during remediation.

• Publish a fix and disclosure summary when appropriate.

Security Principles

This project follows these baseline security practices:

• Least-privilege scopes in Forge manifest.yml.

• Input validation and safe API request patterns.

• No hard-coded credentials in source control.

• Dependency and code review checks in the development workflow.