SECURITY Policy

Last Updated: July 24, 2025

1. Introduction

This Security Policy outlines the measures and controls implemented by ricebean.net to ensure the confidentiality, integrity, and availability of our software, and the data it processes. Our commitment to security is foundational to building trust with our customers and adhering to the stringent requirements of the Atlassian Marketplace and others.

This policy applies to all personnel, systems, processes, and third-party services involved in the development, deployment, maintenance, and operation of our software.

2. Scope

This policy covers the security of ricebean.net software, including:

  • Application Security: Secure coding practices, vulnerability management, and protection against common web vulnerabilities.
  • Data Security: Protection of customer data, including data at rest and in transit, and adherence to data privacy principles.
  • Identity and Access Management: Secure authentication and authorization mechanisms for both users and internal systems.
  • Infrastructure Security (if applicable): Security of the underlying infrastructure hosting the add-on (e.g., cloud environment, servers).
  • Vulnerability Management & Incident Response: Processes for identifying, reporting, and responding to security vulnerabilities and incidents.
  • Third-Party Security: Management of security risks associated with third-party libraries and services.
  • Compliance: Adherence to Atlassian Marketplace security requirements and relevant data privacy regulations.

3. Roles and Responsibilities

  • ricebean.net Security Lead / CTO: Overall responsibility for the establishment, implementation, and enforcement of this security policy.
  • Development Team: Responsible for implementing secure coding practices, conducting security testing, and remediating vulnerabilities.
  • Operations/DevOps Team (if applicable): Responsible for securing the add-on’s infrastructure, monitoring, and incident response.
  • All Employees: Responsible for understanding and adhering to the security policies and reporting any suspected security incidents.

4. Application Security

  • Secure Development Lifecycle (SDL): Security considerations are integrated into all phases of the software development lifecycle, from design and coding to testing and deployment.
  • Input Validation and Output Encoding: All untrusted data (user input, external API responses) will be rigorously validated and sanitized to mitigate injection vulnerabilities (e.g., XSS, SQL Injection, XXE). All output rendered to users will be properly encoded.
  • Authentication & Authorization:
    • The add-on will utilize Atlassian’s recommended authentication mechanisms (e.g., JWT for Connect apps, Atlassian’s provided APIs).
    • The principle of least privilege will be applied, ensuring that the add-on requests only the necessary scopes to perform its intended functionality.
    • All endpoints will enforce proper authentication and authorization checks.
    • User authentication data (passwords, API tokens, etc.) belonging to Atlassian user accounts will not be collected or stored by the add-on.
  • Session Management: Session cookies will be secured with HttpOnly and Secure flags, have high entropy, and be invalidated upon logout or inactivity.
  • Error Handling and Information Leakage: Error messages will be generic and will not disclose sensitive system information (e.g., stack traces, internal paths, API keys). OAuth tokens, client secrets, and shared secrets will not be exposed in client-side code, error messages, or public repositories.
  • Secure API Usage:
    • When interacting with Atlassian APIs, the add-on will use authenticated and authorized requests.
    • If the add-on exposes its own APIs, strong authentication, input validation, and rate limiting will be implemented.
  • Server-Side Request Forgery (SSRF) Mitigation: Strict controls will be enforced when establishing network connections to user-supplied URLs, including URL validations to reduce the risk of SSRF attacks.
  • Deserialization Vulnerability Mitigation: When implementing serialization and deserialization, security controls will be in place to prevent arbitrary deserialization, such as using an allowlist of permissible objects.
  • Third-Party Libraries and Dependencies:
    • Regular software composition analysis (SCA) will be conducted to identify and remediate vulnerabilities in third-party libraries and dependencies.
    • Vulnerable versions of libraries with known critical or high vulnerabilities will be remediated promptly.

5. Data Security and Privacy

  • Data Minimization: Only data essential for the add-on’s functionality will be collected and processed.
  • Data Classification: Data handled by the add-on will be classified based on its sensitivity (e.g., public, internal, confidential, restricted).
  • Data Encryption:
    • Data in Transit: All communication between the add-on and Atlassian products, as well as any external services, will be encrypted using TLS version 1.2 or higher with strong cipher suites (e.g., AES 256 encryption with SHA-256 MAC). HSTS will be enabled with a minimum age of one year.
    • Data at Rest: All sensitive customer data stored outside of the Atlassian product or user’s browser (e.g., in databases, object storage) will be encrypted at rest using industry-standard strong cryptographic algorithms (e.g., AES-256).
  • Secure Data Storage: Sensitive information (e.g., API tokens, encryption keys) will be stored securely using appropriate mechanisms (e.g., dedicated key management services, environment variables) and will not be hardcoded in source code or easily accessible locations.
  • Data Retention and Deletion: Data will be retained only for as long as necessary to fulfill its purpose or meet legal obligations. Secure deletion processes will be in place.
  • Privacy Policy: A clear and comprehensive Privacy Policy will be published on the Atlassian Marketplace listing and/or our website, detailing what data is collected, why it’s collected, how it’s used, how it’s stored, and user rights regarding their data.
  • Data Processing Agreement (DPA): A DPA will be available upon request for customers requiring specific data processing terms.
  • Cross-Border Data Transfers: Any cross-border transfers of personal data will comply with applicable data protection laws and utilize appropriate legal mechanisms (e.g., Standard Contractual Clauses).

6. Infrastructure Security (if applicable)

  • Cloud Security Best Practices: For cloud-hosted add-ons, we adhere to the shared responsibility model and implement security best practices for the chosen cloud provider (e.g., AWS, Azure, GCP).
  • Network Security:
    • Firewalls and security groups will be configured to restrict network access to only necessary ports and protocols.
    • Network segmentation will be implemented to isolate critical components.
    • DDoS protection mechanisms will be employed.
  • Server Hardening: Servers hosting the add-on will be hardened by disabling unnecessary services, removing default credentials, and applying security configurations.
  • Patch Management: A robust patch management process will be in place to ensure operating systems, libraries, and all software components are kept up-to-date with the latest security patches.
  • Monitoring and Logging: Comprehensive logging of security-relevant events (e.g., access attempts, administrative actions, unusual activity) will be enabled and continuously monitored. Logs will be protected from unauthorized access or tampering. Secrets and tokens will not be logged.
  • Multi-Factor Authentication (MFA): MFA will be enforced for all administrative access to the add-on’s infrastructure and development environments.

7. Vulnerability Management

  • Regular Security Scanning:
    • Static Application Security Testing (SAST): Static code analysis will be performed on every new version release to identify security vulnerabilities in the source code.
    • Dynamic Application Security Testing (DAST): Dynamic analysis will be performed to identify vulnerabilities in the running application (e.g., OWASP Top 10 vulnerabilities).
    • Software Composition Analysis (SCA): Regular scans will be conducted to identify vulnerabilities in third-party libraries and dependencies.
  • Penetration Testing: Independent penetration tests may be conducted periodically to identify potential weaknesses.
  • Atlassian Marketplace Security (AMS) & Bug Bounty Program:
    • We will actively monitor and respond to Atlassian Marketplace Security (AMS) tickets related to our add-on.
    • We are committed to Atlassian’s Security Bug Fix Policy, adhering to the specified remediation timelines for identified vulnerabilities based on their CVSS severity.
    • We will consider participation in the Atlassian Marketplace Bug Bounty Program to leverage external security researchers.
  • Security Contact: At least one email address will be identified as a security contact and registered with Atlassian Marketplace Security (AMS) to receive vulnerability notifications.

8. Incident Response

  • Incident Response Plan: A documented incident response plan is in place, outlining procedures for identifying, containing, eradicating, recovering from, and post-incident analysis of security incidents.
  • Notification: In the event of a security incident involving customer data, affected customers and Atlassian will be notified promptly and transparently in accordance with legal and contractual obligations.
  • Communication: Clear communication channels and protocols will be established for internal teams and external stakeholders during an incident.
  • Forensics: Capabilities for forensic analysis will be maintained to investigate security incidents and determine root causes.

9. Employee Security Awareness and Training

  • Security Training: All employees involved in the development, deployment, or operation of the add-on will receive regular security awareness training, including secure coding practices, data privacy, and incident reporting.
  • Security Champions: We encourage and support security champions within our development team to drive security best practices.

10. Compliance

  • Atlassian Marketplace Requirements: We commit to meeting all current and future security requirements outlined by Atlassian for publishing and maintaining an add-on on their Marketplace (Cloud, Data Center, or Server specific requirements as applicable).
  • Data Protection Regulations: We will comply with relevant data protection regulations such as GDPR (General Data Protection Regulation) and CCPA (California Consumer Privacy Act) where applicable to the data processed by our add-on.
  • Regular Audits: We will conduct internal and/or external audits to assess compliance with this security policy and relevant regulations.

11. Policy Review and Updates

This Security Policy will be reviewed at least annually, or more frequently if there are significant changes to the add-on, its underlying technologies, or relevant security regulations. Any updates will be communicated to relevant stakeholders.