Security
Overview
Smart Images for Confluence app (the “App”) is part of the Bug Bounty Program, which helps detect security vulnerabilities faster and increases the overall security level for our customers.
Secure development
We follow the best practices and frameworks to ensure the highest level of security in our software:
- Regular security training for developers to learn about common vulnerabilities and threats
- Code review for security vulnerabilities
- Regular updates of the dependencies
- Software Composition Analysis (SCA) to detect vulnerabilities in our codebase
Employee Access to Customer Data
The App’s team does not have access to user data. In cases where they have to access the user data in order to perform support services or to respond to an incident, we will ask for your consent. Our employees connect to the infrastructure via secure communication channels with several levels of protection.
Working on a support issue we only access the minimum data needed to resolve the issue.
Product Security
The App uses Atlassian Connect which relies on HTTPS and JWT authentication to secure communication between the App, the Atlassian product, and the user. Smart Images doesn't work with or store any passwords or credentials, as users use the App only in conjunction with Confluence.
Please learn more about Atlassian Connect security.
Permissions
The maximum set of actions Smart Images may perform is expressed in the scopes in the App descriptor and is presented to the administrator during installation. This security level is enforced by Atlassian Connect and cannot be bypassed by app implementations.
Here is the list of all used scopes:
- READ - View, browse, and read information from Confluence.
- WRITE - Create and edit Images
- DELETE - Delete Images
- ACT_AS_USER - Access content using the permissions of the user running the app
Learn more in the scopes documentation.
Network and Application Security
The App hosts its infrastructure and data in Amazon Web Services (AWS) in Frankfurt.
Backups and Monitoring
Smart Images uses automation to backup all data stores that contain customer data. All our backups are encrypted.
Encryption
All data sent to or from Smart Images systems is encrypted in transit over public networks using TLS 1.2+ to protect it from unauthorized disclosure or modification. We use only AWS-managed network components and policies enforcing TLS with strong ciphers and key lengths, where supported by the browser.
Pentests and Vulnerability Scanning
Smart Images uses third-party security tools to continuously scan for vulnerabilities and participate in the Atlassian Marketplace Bug Bounty Program for crowdsourcing vulnerability discovery.
Incident Response
Smart Images implements an Incident Response Policy for handling security events which includes escalation procedures, rapid mitigation, and post-mortem. All employees are informed of our policies.
Reporting An Issue
We appreciate your input and feedback on our security, as well as responsible disclosure.
In case you've identified a security concern, please create a request in our support system. We'll work with you to make sure we understand the issue and address it promptly.