How can I determine if a JIRA plugin is safe?

There are a few Marketplace plugins I'm looking to install and they are not from Atlassian. How can I be sure that these plugins aren't malicious? Are all marketplace plugins vetted for malicious code? Furthermore, what capabilities do plugins have; could they read in ticket info and make external requests to a malicious server?

2 answers

1 accepted

This widget could not be displayed.
Nick Wade Atlassian Team Jul 27, 2014

Matt,

We do an approval per Mehmet's answer, on all Paid-via-Atlassian add-ons. That includes design, feature and quality tests. We look for unusual behaviours and unusual traffic. We also do a cursory review of other add-ons. We don't review the source code however, and I do generally suggest if your company is security conscious (and many are) you do some testing of your own in an appropriate enviroment before installing in production; in order to ensure the plugins also meet your standards.

-nick wade
Head of Ecosystem

This widget could not be displayed.

They are safe, they would not be listed in Marketplace if otherwise. See the requirements here.

https://developer.atlassian.com/display/MARKET/Add-on+approval+guidelines

To add to that last point - yes, you could write a plugin that makes malicious requests to other servers. But it really would not make it far on the marketplace, and you'd have to have a jira admin who you could fool into uploading malicious software!

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Aug 22, 2018 in Marketplace Apps

How a Marketplace app tech team is achieving gender diversity

Hello! My name is Genevieve Blanch, and I'm the Marketing Manager at RefinedWiki, creators of apps to give teams the tools to customize Atlassian platforms. Currently, 44% of the tech team at Re...

486 views 3 18
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you