Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

I need some software security questions answered, please see below

Gary Weber
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
July 16, 2026
My company has used Sourcetree for several years, but my company was recently acquired and our new parent company is requiring us to get information on software we use, they will force us to abandon using Sourcetree if we cannot get answers for these questions, I'm hoping you all can help and have the answers easily available, see questions below.
-Provide architecture document which includes Logical and deployment diagrams and shows interfaces and protocols.
-Provide application high level technology stack (table listing name, version for each technology)
-Does the application have an up-to-date Threat Model?
-Does the Threat Model have a list of TOP security risks identified?
-Does the Threat Model have a list of security controls defined for the TOP risks?
-Does any of the security controls for the TOP risks centered around application-level logs collection or analysis?

1 answer

1 vote
Tomislav Tobijas
Community Champion
July 16, 2026

Hi @Gary Weber ,

Generally, some of these info can be found here: Trust Center 
Although the linked hub is mostly focused on cloud rather than on-prem solutions such as Sourcetree.

I've never actually explored to details trust and security topics around Sourcetree... Here's a purely AI-generated answer:

Architecture and Technology Stack

Sourcetree is a desktop client application (available for Windows and macOS) rather than a cloud-hosted service, which means its "deployment" is local to your workstations.

  • Architecture & Protocols: Sourcetree interfaces with Git and Mercurial repositories using standard protocols like HTTPS and SSH. For enterprise environments, we offer an MSI installer for Windows to support managed deployments at scale.

  • Technology Stack: As a native desktop application, the stack varies by OS (e.g., .NET for Windows and Swift/Objective-C for macOS). Detailed version tables for internal components are not typically public, but you can find general product boundaries in our System Security Plan.

Threat Modeling and Security Risks

Atlassian maintains a rigorous security program that includes threat modeling for our products.

  • Threat Model Status: We perform ongoing threat modeling during the planning and design phases of our products to identify and prioritize security risks.

  • Risk Identification & Controls: Our threat modeling involves "table-top" brainstorming sessions between engineers and architects to define security controls for identified risks. These risks and their corresponding controls are tracked internally via our Product Trust Scorecards.

  • Logging and Analysis: Atlassian maintains comprehensive logging standards. For our infrastructure and products, relevant system logs are forwarded to a centralized, read-only platform for monitoring and anomaly detection.

Accessing Detailed Documentation

Because some of the specific diagrams and risk lists you requested contain sensitive security information, they are not published openly on the web.

  • Atlassian Trust Portal: You can access detailed security collateral, compliance reports (like SOC2 or ISO 27001), and specific security questionnaires through our Customer Trust Portal.

  • Self-Service Access: The portal provides authenticated access for customers to perform efficient security reviews.

Also, as for any security risks, Atlassian does release security bulletins, which you can check here: Security Advisories & Bulletins 🚨

In the end, it would really depend on how far into detail the parent company will go. Someone might have additional resources on the topic, but these aren't so easy to find. 🧐

Cheers,
Tobi

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events