Larchmont LabsLarchmont Labs

Security Policy

Applies to all Larchmont Labs apps for Atlassian (including Config Audit for Jira and Recurring Tasks for Jira).

The short version: our apps run entirely inside Atlassian's Forge platform — no external servers, no data egress, and narrowly scoped permissions. If you believe you've found a security issue, email admin@larchmontlabs.com and we'll respond quickly.

1. Reporting a vulnerability

Please report suspected security vulnerabilities to admin@larchmontlabs.com. Where possible, include:

Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate it.

2. Our commitment

3. Safe harbor

We support good-faith security research. If you make a good-faith effort to comply with this policy, avoid privacy violations and service disruption, and do not access or modify data beyond what is necessary to demonstrate the issue, we will not pursue legal action against you for your research.

4. How our apps are secured

5. Incident notification

In the event of a confirmed security incident or critical vulnerability affecting customer data, we will notify affected customers and Atlassian in line with Atlassian's Marketplace security incident and vulnerability notification guidelines.

6. Security contact

admin@larchmontlabs.com