How can I determine if a JIRA plugin is safe?

There are a few Marketplace plugins I'm looking to install and they are not from Atlassian. How can I be sure that these plugins aren't malicious? Are all marketplace plugins vetted for malicious code? Furthermore, what capabilities do plugins have; could they read in ticket info and make external requests to a malicious server?

2 answers

1 accepted

5 votes
Accepted answer
Nick Wade Atlassian Team Jul 27, 2014

Matt,

We do an approval per Mehmet's answer, on all Paid-via-Atlassian add-ons. That includes design, feature and quality tests. We look for unusual behaviours and unusual traffic. We also do a cursory review of other add-ons. We don't review the source code however, and I do generally suggest if your company is security conscious (and many are) you do some testing of your own in an appropriate enviroment before installing in production; in order to ensure the plugins also meet your standards.

-nick wade
Head of Ecosystem

They are safe, they would not be listed in Marketplace if otherwise. See the requirements here.

https://developer.atlassian.com/display/MARKET/Add-on+approval+guidelines

To add to that last point - yes, you could write a plugin that makes malicious requests to other servers. But it really would not make it far on the marketplace, and you'd have to have a jira admin who you could fool into uploading malicious software!

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Oct 31, 2018 in Marketplace Apps

Marketplace Spotlight: Zephyr

Hello Atlassian Community! Each month, we run a series of Spotlights to highlight Marketplace vendors and apps that our team thinks this Community would find valuable. In last month's Spotlig...

320 views 0 1
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you