Security Practices

Worklog Rollup for Jira is designed as an Atlassian Forge app for Jira Cloud, with a narrow data scope focused on Jira logged-time rollups.

Architecture

The app renders a Jira issue panel and calls Forge backend code to retrieve issue data through Jira APIs. It reads the current issue context, descendant issue relationships and Jira time tracking values needed to calculate totals.

Atlassian Forge security posture

Atlassian describes Forge as a serverless app development platform where compute and storage can be hosted on Atlassian infrastructure. The app is designed to use this Forge model and not send worklog data to a separate vendor backend.

Permissions

read:jira-work is used to read issue and time tracking data. storage:app is used for app-scoped calculation cache and operational usage de-duplication. Jira permissions continue to control which issue data a user can access in Jira.

Data storage

The app uses short-lived Forge Storage cache for calculation results. Current calculation cache lasts up to 5 minutes. It does not store costs, rates, invoices or Tempo data.

Worklog data scope

The app reads Jira issue time tracking fields such as timespent and timetracking.timeSpentSeconds. It does not read individual worklog entries and does not use Tempo APIs.

Logging

The app should avoid logging sensitive issue content. Technical logs should focus on operational status and error diagnosis.

Vulnerability reporting

Security issues can be reported to support.jira@mederak.app. Please include reproduction steps, impact, affected tenant context and screenshots where appropriate.

Atlassian Marketplace alignment

The app is prepared with Marketplace security expectations in mind, including least-privilege thinking, privacy documentation, customer terms, support contact and transparency about data handling.