Security Question for HipChat

Hi,

We have some questions from Security point of view on HipChat Server,

could we enforced SSL on all connections in HipChat

2-factor authentication enforceable (or using Google Apps, where we already enforce it)

SSO - is it possible to invite external users to the account?

does SSO work with 2-factor authentication enabled and using two or more different domains?

Device policy enforceable on mobile devices allowed to connect/connecting to messaging service

Can integrations be limited to those whitelisted by a admin user?

Role based administration of the account?

Adjustable retention of server-side message store (i.e. 'delete all sent messages after x days')

Alerting on (highlighting of) keywords mentioned on any channel, also not the joined channels (to admins only)

Server-side encryption of messages

Provider is actively running a whitehat/bug bounty program

 

Thanks in advance

1 answer

This widget could not be displayed.

Hi Samuel,

We use encryption for all communications between clients and Server. HTTP listens on port 80 simply to redirect to 443. You can block access to port 80 at your firewall if you please.

We don't have 2 factor authentication or single sign on yet.

Mobile policy is up to you. HipChat Server can be run on private networks, accessed with a VPN service.

Integrations are not white or blacklisted. You can restrict access between addon services and your Server deployment at your firewall.

We only have three administration roles for Server: system shell, admins and users. We're considering more granular administration roles and would love to hear about your requirements.

We have adjustable retention of server-side messages already, see /admin/.

You can add webhooks or create an integration to send alerts based on keywords or regular expressions. See https://www.hipchat.com/docs/apiv2/webhooks

The data at rest is not encrypted within the Server, but some virtualization and SAN solutions allow encryption of the entire VM.

We don't have a security bounty program at present. Atlassian does have a https://www.atlassian.com/security/hall-of-fame for those kind enough to report vulnerabilities.

Thanks for your interest in HipChat Server!

 

Will DeHaan

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Published Friday in Hipchat

What should I think about when migrating HipChat to Slack?

...from the beginning. We have built up a lot of content in HipChat, with it being a core tool in our distributed company model. While it is true that we didn’t need to move to Slack immediately, we felt it...

172 views 1 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you