Security Policy for SamAuditor

Effective Date: June 2025
Contact: [email protected]

App Type and Architecture

SamAuditor is an Atlassian Connect app. It is powered by a secure backend hosted on private servers with a secure infrastructure, including a proxy layer and Cloudflare perimeter security. The app is designed to be lightweight and secure, requesting minimal permissions.

Data Handling and Storage

• Stored Data: Software asset information provided by the user and collected software installation data.
• No sensitive Jira content (such as issue data) is stored.
• All stored data is scoped by Atlassian tenant ID and validated to ensure strict tenant isolation.

Storage Details:

• Data is stored in MongoDB, hosted on a private network.
• The database is not accessible from the public internet.
• Access is encrypted (TLS) and authenticated.
• Only internal services are permitted to connect to the database.

Authentication and Access Control

• Uses JWT authentication as per Atlassian Connect standards.
• Identity is verified on every request.
• All queries are scoped by and checked against the authenticated Atlassian ID.
• No admin or user credentials are stored or reused by the app.

Permissions and Scopes

SamAuditor requests only the minimum required Atlassian scope:

"scopes": [
  "READ"
]

This allows the app to read basic metadata necessary for software asset correlation. It does not allow the app to modify issues, access user data, or make administrative changes.

Infrastructure and Availability

• All traffic is routed through Cloudflare for DDoS protection, TLS, and global load balancing.
• Servers are geographically distributed to improve speed and redundancy.
• Features include automatic failover, encrypted database backups, and zero outbound internet access from internal applications.

Vulnerability Management

• Servers are patched regularly.
• Access to infrastructure is tightly controlled.
• Code changes are reviewed and deployed via a controlled pipeline.
• We plan to participate in the Atlassian Marketplace Bug Bounty Program.

Security Reports

If you believe you've found a vulnerability or have a security concern, please contact:

Email: [email protected]

We aim to acknowledge all valid reports within 1 business day and resolve critical issues quickly.

Commitments

SamAuditor is committed to:

• Data protection by design
• Least privilege access
• Tenant isolation
• Secure coding and infrastructure practices
• Transparent communication with users about security

About the Developer

SamAuditor is developed and maintained by an experienced IT professional with a strong background in securing critical national infrastructure in the United Kingdom. As part of that work, we have actively followed and implemented best practices and guidance from the UK National Cyber Security Centre (NCSC).

The developer holds current UK Government Security Clearance (SC) and is ISACA CISM certified, qualified to lead enterprise security operations and govern information risk at the highest levels. These credentials reflect a deep commitment to secure design, privacy by default, and responsible handling of user data.

Security is not just a feature of SamAuditor — it is a core principle built into every aspect of the app's architecture, development, and operation.

---