Security Policy — Flow Time for Jira
Reporting a vulnerability
If you discover a security vulnerability in Flow Time for Jira, please report it to security@flowtimeapps.com. Include a description, steps to reproduce, and any relevant details. We aim to acknowledge reports within 3 business days and to remediate confirmed issues promptly.
Please practise responsible disclosure: give us a reasonable opportunity to fix the issue before any public disclosure. We will not pursue legal action against good-faith security research conducted in line with this policy.
Our security posture
- Forge-native. The app runs entirely on Atlassian's Forge platform. We operate no servers of our own.
- No data egress. The app makes no calls to external services and transmits no data outside Atlassian. It qualifies for Atlassian's "Runs on Atlassian" program.
- Read-only. The app requests read-only permission scopes
(
read:jira-work) only and never modifies your Jira configuration or data. - Acts as the viewing user. The app reads Jira data with the viewing user's own access rights, so it can only ever surface issues, changelogs, and projects that user is already entitled to see.
- Least privilege. Beyond reading work data, the app requests only
storage:appto cache computed results in Atlassian's Forge storage — nothing more. - Dependency hygiene. Dependencies are kept current and are scanned via Atlassian's Forge dependency scanner; vulnerabilities are patched promptly.
Data handling
Details of what data the app processes and stores are in the privacy policy. In short: Jira issue, changelog, and project data are read only to compute time-in-status statistics, and only your gadget configuration and short-lived cached results are stored within Atlassian's Forge storage. The content of your issues is never stored, and no data leaves Atlassian.
Contact
Security and general support: security@flowtimeapps.com · support page.