Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How can I determine if a JIRA plugin is safe?

Matt Donofrio
Matt Donofrio
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 23, 2014

There are a few Marketplace plugins I'm looking to install and they are not from Atlassian. How can I be sure that these plugins aren't malicious? Are all marketplace plugins vetted for malicious code? Furthermore, what capabilities do plugins have; could they read in ticket info and make external requests to a malicious server?

Answer
Watch
Like # people like this
1638 views

2 answers

1 accepted

5 votes
Answer accepted
wadey
wadey
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 27, 2014

Matt,

We do an approval per Mehmet's answer, on all Paid-via-Atlassian add-ons. That includes design, feature and quality tests. We look for unusual behaviours and unusual traffic. We also do a cursory review of other add-ons. We don't review the source code however, and I do generally suggest if your company is security conscious (and many are) you do some testing of your own in an appropriate enviroment before installing in production; in order to ensure the plugins also meet your standards.

-nick wade
Head of Ecosystem

Reply
2 votes
Mehmet Kazgan
Mehmet Kazgan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 23, 2014

They are safe, they would not be listed in Marketplace if otherwise. See the requirements here.

https://developer.atlassian.com/display/MARKET/Add-on+approval+guidelines

View More Comments
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 23, 2014

To add to that last point - yes, you could write a plugin that makes malicious requests to other servers. But it really would not make it far on the marketplace, and you'd have to have a jira admin who you could fool into uploading malicious software!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Product apps
Apps & Integrations
TAGS
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.