Applies to all Larchmont Labs apps for Atlassian (including Config Audit for Jira and Recurring Tasks for Jira).
The short version: our apps run entirely inside Atlassian's Forge
platform — no external servers, no data egress, and narrowly scoped permissions. If you believe you've
found a security issue, email admin@larchmontlabs.com and
we'll respond quickly.
1. Reporting a vulnerability
Please report suspected security vulnerabilities to
admin@larchmontlabs.com. Where possible, include:
The affected app and a description of the issue.
Steps to reproduce, proof-of-concept, or relevant request/response details.
The potential impact, and any suggested remediation.
Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and
remediate it.
2. Our commitment
Acknowledgement within 2 business days of your report.
Triage and assessment of severity, and a remediation plan communicated back to you.
Coordinated disclosure — we'll work with you on timing and credit, and keep you
updated through to resolution.
We support good-faith security research. If you make a good-faith effort to comply with this policy,
avoid privacy violations and service disruption, and do not access or modify data beyond what is
necessary to demonstrate the issue, we will not pursue legal action against you for your research.
4. How our apps are secured
Runs on Atlassian. Our apps execute entirely within Atlassian's Forge sandbox.
Your data stays inside Atlassian's infrastructure and your installation's data boundary — there is
no external data egress.
Least privilege. Each app requests only the minimum Forge scopes required for its
function, and validates user permissions before performing privileged actions.
No secrets in the app. Authentication is handled by the Forge platform; our apps
do not collect Atlassian passwords or API tokens, and store no third-party credentials.
Dependency hygiene. We review dependencies for known vulnerabilities and keep them
up to date.
Encryption. Data in transit and at rest is handled by the Forge platform.
5. Incident notification
In the event of a confirmed security incident or critical vulnerability affecting customer data, we
will notify affected customers and Atlassian in line with Atlassian's Marketplace security incident and
vulnerability notification guidelines.