I'm trying to write a more defined approval process for new Add-Ons in our Jira Data Center environment. Assume you're managing an enterprise Jira (Or Confluence) environment, and there is a lot of sensitive IP contained in that Jira or Confluence. When your users request Add-Ons, how do you evaluate you those Add-Ons from a security perspective? What kind of criteria would you want the Add-Ons to follow, and then how would you ensure that new Add-Ons follow that criteria?
At a high level this basically means not wanting Add-Ons to be sending the actual content of our Jira issues or Confluence pages to some outside server somewhere, but I want something a little more concrete and defined than that. What criteria do you all use in your organizations, and how do you enforce it?