The Move Work Forward team takes security seriously. We know we're not infallible and we are always working to improve our security practices. Below we detail our current practices.
All of your Jira issue / project / user data is kept in your Jira Cloud instance (similar data for other cloud Apps). Your data is never stored by our servers. Our Apps retrieve the data they require directly from your Atlassian Cloud instance.
Our Cloud versions require the following Atlassian Connect Permissions (Scopes): Read, Write, Delete and Project Administration. Project Administration is needed for the creation and updating of Versions.
Our server and data center products are following our security development process. We are following security code reviews and following security best practices.
We follow the Atlassian guidelines for security:
As an infrastructure backbone we use AWS.
Move Work Forward captures analytics events from our products and forwards events to Segment and Amplitude. We do not store any PII data. We do store data. required our Apps to work (mostly different identifiers).
We have a backlog that is ordered in terms of our vision for the product coupled with key customer feature requests. Team members pull stories from the backlog as capacity allows. Typically their first step is to write tests to assert the behaviour we expect. From there they will write code to make tests pass, and then refactor as needed.
When a team member is ready for code review they add two of their colleagues to a pull request. Their colleagues review the code for consistency, sanity, and against the acceptance criteria of the user story. There are usually a few comments of things to consider, tidy up or change, and these are then incorporated.
During the code review we also begin user acceptance testing of the functionality in the host product. At this point we're trying to ensure that what we deliver makes sense from a customers perspective. This often turns up UI/UX improvements for the story which are then subsequently included in the pull request.
Once the pull request has been approved the development branch is merged into our master branch where we do final user acceptance testing before merging to release branch and releasing the packages.
In the case of Cloud products the feature is then deployed automatically and customers begin to see the new version immediately. For Server and Data Center host products we select a commit on master that contains the desired functionality, we tag that with a version number and perform a manual release to Atlassian Marketplace.
On every commit to the development branch unit and functional tests are automatically run. Pre-commit hooks exist on the master branch which prevent a merge in the event a pull request has not been approved or tests are not passing.
We do not offer a bug bounty today. If you find a bug please raise a support request.
If you find a security vulnerability please email email@example.com directly.
Automation and monitoring means that team members do not require access to staging or production infrastructure.
All team members use 1Password to maintain a randomly generated password for each service, plus Two Factor Authentication for accessing our infrastructure providers.
Product access and security changes are limited to the CTO and CEO.