Security Policy

1. Overview

At DevOpsSystems, security is an important principle throughout the design, development, release, support, and maintenance of our Atlassian Marketplace applications.

We are committed to protecting customer information, applying secure development practices, maintaining controlled access to development systems, managing vulnerabilities responsibly, and continuously improving the security posture of our products and processes.

This Security Policy provides a public overview of DevOpsSystems security practices. More detailed process information is available in the Software Development Life Cycle, Vulnerability Management Program, Service Level Agreement, and Privacy Policies.

2. Scope

This Security Policy applies to:

DevOpsSystems Marketplace apps,
Forge apps,
Data Center apps,
development processes,
release processes,
support and vulnerability handling processes,
related internal development systems.

The exact security controls may vary depending on product architecture, deployment model, technology stack, and product maturity.

3. Security Principles

DevOpsSystems security practices are based on the following principles:

Security by Design
Least Privilege
Defense in Depth
Secure Development
Traceability
Controlled Access
Responsible Vulnerability Management
Continuous Improvement

Security considerations are integrated into planning, development, testing, release, support, and maintenance activities.

4. Product Architecture

DevOpsSystems provides apps for Atlassian Cloud and customer-managed Atlassian Data Center environments.

Forge Apps

Forge apps are developed using the Atlassian Forge platform. Forge apps execute within Atlassian-managed infrastructure and use Atlassian-provided platform capabilities such as authentication, app execution, storage, permissions, and security controls.

DevOpsSystems does not operate dedicated customer-specific application infrastructure for Forge app data unless explicitly stated for a specific app or feature.

Data Center Apps

Data Center apps are installed and operated within customer-managed Atlassian environments.

Customers retain control over:

infrastructure,
network configuration,
databases,
file systems,
backups,
user permissions,
host product configuration,
log retention,
operational monitoring.

DevOpsSystems does not have direct access to customer-managed environments unless the customer voluntarily provides information through support or troubleshooting.

5. Access Management

Access to development systems, repositories, support systems, and internal resources is restricted to authorized personnel.

Access management practices may include:

multi-factor authentication,
role-based access control,
least-privilege permissions,
controlled repository access,
controlled support access,
periodic access review,
removal of access when no longer required.

Access rights are granted according to role and business need.

6. Secure Development Lifecycle

Security is integrated into the DevOpsSystems Software Development Life Cycle.

Development practices may include:

requirements tracking,
code review,
pull request workflows,
automated tests,
code quality checks,
dependency scanning,
security analysis,
secret detection,
controlled release procedures,
release documentation,
traceability between work items and code changes.

Detailed information is available in the Software Development Life Cycle documentation.

7. Security Testing and Validation

DevOpsSystems uses security and quality validation activities to identify potential issues early.

Security validation may include:

Static Application Security Testing

DevOpsSystems uses static application security testing to identify potential code-level vulnerabilities, insecure patterns, and quality issues.

Software Composition Analysis

Dependencies and third-party components may be monitored for known vulnerabilities and security advisories.

Secret Detection

Automated or manual controls may be used to reduce the risk of credentials, API keys, tokens, passwords, or other secrets being committed to repositories.

Code Review

Code changes may be reviewed to identify functional, quality, maintainability, and security concerns.

Dynamic Testing

Dynamic Application Security Testing (DAST) is planned for selected products and scenarios. Where technically applicable and appropriate for the product architecture, dynamic security testing will be introduced as part of the security validation process.

8. Release Controls

Releases are performed in a controlled and traceable manner.

Release controls may include:

successful build validation,
passing relevant tests,
review of code quality findings,
review of security findings,
versioning,
release notes,
controlled publishing,
Marketplace release processes where applicable.

Security findings are reviewed, prioritized, and handled according to risk and impact.

9. Vulnerability Management

DevOpsSystems maintains a Vulnerability Management Program covering supported products and related development systems.

Vulnerability management includes:

identification,
acknowledgement,
triage,
severity assessment,
remediation planning,
fix implementation,
verification,
release or mitigation,
communication,
closure,
continuous improvement.

Severity is classified using CVSS v3.x base scores, and remediation timeframes for Cloud and Forge apps are aligned with the Atlassian Marketplace Security Bug Fix Policy. Detailed information is available in the Vulnerability Management Program.

9.1 Security Contact and Atlassian Marketplace Security (AMS)

DevOpsSystems maintains at least one designated security contact and an account on ecosystem.atlassian.net to receive notifications about product-related vulnerabilities through the Atlassian Marketplace Security (AMS) ticketing system.

9.2 Public Vulnerability Overview

DevOpsSystems maintains a public vulnerability overview where disclosed security vulnerabilities for its apps are listed. The overview is publicly viewable by anyone:

https://devopssystems.atlassian.net/issues/?filter=10280

Users who want to be actively notified about new entries can subscribe to this filter. Subscribing requires signing in to the Atlassian instance beforehand. Please note that notifications are provided through the filter subscription itself; there is no separate email notification service.

10. Responsible Disclosure

DevOpsSystems welcomes responsible disclosure of security vulnerabilities.

Customers, researchers, and members of the security community who identify potential security issues are encouraged to report them through the Security Service Desk:

https://tickets.help.devopssystems.de/servicedesk/customer/portal/18/group/23/create/128

Reports are reviewed confidentially and handled according to the Vulnerability Management Program.

11. Incident Management

Security incidents are investigated, documented, and managed according to internal procedures.

Incident handling may include:

intake and acknowledgement,
severity assessment,
containment,
investigation,
remediation,
customer communication where applicable,
documentation,
lessons learned,
process improvement.

Where required, affected customers will be informed in accordance with contractual, legal, and regulatory obligations.

12. Data Protection and Privacy

DevOpsSystems privacy practices are documented in separate privacy policies.

Relevant privacy documents include:

App Privacy Policy (Forge & Data Center),

Data Center apps operate in customer-managed environments. Forge apps operate on Atlassian Forge. Support data is processed according to the applicable privacy policy and support process.

13. Customer Responsibilities

Security is a shared responsibility.

Customers are responsible for securing their own environments, including:

Atlassian user and permission management,
infrastructure security,
network security,
backups,
operational monitoring,
host product patching,
app updates,
review of logs before sharing,
secure management of credentials and tokens.

For Data Center apps, customers are responsible for installing updates in their own environments.

14. Support and Security Communication

General support requests are handled according to the Service Level Agreement.

Security vulnerabilities are handled according to the Vulnerability Management Program.

Security reports should be submitted through the Security Service Desk: