It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Security information about Sourcetree

Hi, 

 

A few questions about using Sourcetree in corporate environment. 

It looks like the SourceTree app requires users to create a Bitbucket account so they can use it and connect it to GitHub, as explained in this guide. Our security team would like to understand whether any data is made available to Atlassian through this process and what sort of data that is. If it includes any personal data, where is this data going to be stored geographically and how can we ensure that we meet our GDPR obligations?

 

We have also attempted to find information in relation to the security practices followed for SourceTree app, however we have not been able to locate anything specific within your Trust Centre. All certifications published there seem to cover other Atlassian apps but not SourceTree. Can you point us to any other specific resources?

 

And lastly in some of the previous posts in the community it was mentioned that Sourcetree security advisories are not included in the subscription mailing list which is designed for this purpose. Why is this the case and what is the recommended way of receiving security advisories for the Sourcetree app?

 

Many thanks

 

2 answers

0 votes
Mike Corsaro Atlassian Team Jun 11, 2019

Hello!

 

I'll have to circle back on the security sub mailing list question, but in regards to Sourcetree requiring a Bitbucket account:

  • The Bitbucket account is only used to verify users -- we do not send any personally identifying data to our servers
    • Once you sign in you won't need to refresh credentials or anything like that
  • Sourcetree does have anonymous usage analytics -- we ask for permission for this in the welcome wizard, and can additionally be disabled under "Options > Help improve Sourcetree by sending anonymous data about your usage"
  • If anonymous usage analytics are enabled then we do track the number of repos you've interacted with and the provider you're using. No personally identifying info such as the repo name, or code, or anything like that is sent. Atlassian does not have access to any of your code

Thanks Mike, will wait for your response on security advisories. 

Suggest an answer

Log in or Sign up to answer
TAGS
Community showcase
Published in Sourcetree

Sourcetree for Windows - CVE-2019-11582 - Remote Code Execution vulnerability

A vulnerability has been published today in regards to Sourcetree for Windows.  The goal of this article is to give you a summary of information we have gathered from Atlassian Community as a st...

4,970 views 0 12
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you