Has anyone had any security issues or concerns related to usage of Jira Cloud Forms?

Hi @James Woyciesjes 

You’re correct: in Jira Cloud there are currently only two visibility levels for native forms:

• Jira users → authenticated users in your instance.

• Public access → anyone with the link can view and submit.

Because public forms don’t require authentication, it’s true that they can be submitted anonymously and are potentially open to spam or misuse if the link is shared widely. Jira’s native forms don’t include extra security controls like CAPTCHA, IP restrictions, or domain whitelisting at this point.

Common Security Concerns with Public Jira Forms

• Spam or bot submissions: Since there’s no CAPTCHA or verification, you can receive junk data if the link is exposed.

• Sensitive data exposure: Users can accidentally submit confidential information through an unsecured link.

• Auditability: There’s no clear submitter identity unless you include a required “Name/Email” field in the form.

To mitigate this, most teams either:

• Use public forms only for low-risk data collection (e.g., feedback, surveys).

• Gate access behind a portal (for authenticated Jira Service Management requests).

 If You Need More Control

If you’re planning to collect structured data from external or internal users but want more control over security and submission tracking, you might look at Smart Forms for Jira (developed by my team). It adds some extra layers beyond what native Jira Forms provide:

• Restricted external sharing: You can share forms publicly or limit access to “verified in your instance” users — no need to expose everything.

• Form expiration & single-response links: For sensitive workflows (e.g., approvals), each link can allow one submission only and expires after 30 days.

• Form editing restrictions: You can control who can view, edit, or download responses internally.

• Captcha protection included

• Audit trail: Every submission is stored in a linked Jira issue, so you retain full traceability even for external responses.

• Optional embedding: You can safely embed forms into your service portal or website without revealing direct submission URLs.

✅ In short:

• Native Jira Forms are safe for general use but limited — there’s no CAPTCHA or access granularity beyond “public” or “Jira users.”

• For more controlled, auditable submissions, tools like Smart Forms for Jira add restricted access, one-time links, and internal audit visibility — all while keeping responses securely tied to Jira work items.

Hi @James Woyciesjes 

I would suggest only sharing the Public forms with the users that you are intending to share. Probability of someone guessing the URL of your form is low. I also believe that these forms are protected from the web app based attacks such as XXS, SQL injection and more. Only send the public forms to the trusted users.