Just a heads up: On March 24, 2025, starting at 4:30pm CDT / 19:30 UTC, the site will be undergoing scheduled maintenance for a few hours. During this time, the site might be unavailable for a short while. Thanks for your patience.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

How can I determine if a JIRA plugin is safe?

Matt Donofrio
Matt Donofrio
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
July 23, 2014

There are a few Marketplace plugins I'm looking to install and they are not from Atlassian. How can I be sure that these plugins aren't malicious? Are all marketplace plugins vetted for malicious code? Furthermore, what capabilities do plugins have; could they read in ticket info and make external requests to a malicious server?

Answer
Watch
Like # people like this
1633 views

2 answers

1 accepted

5 votes
Answer accepted
wadey
wadey
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
July 27, 2014

Matt,

We do an approval per Mehmet's answer, on all Paid-via-Atlassian add-ons. That includes design, feature and quality tests. We look for unusual behaviours and unusual traffic. We also do a cursory review of other add-ons. We don't review the source code however, and I do generally suggest if your company is security conscious (and many are) you do some testing of your own in an appropriate enviroment before installing in production; in order to ensure the plugins also meet your standards.

-nick wade
Head of Ecosystem

Reply
2 votes
Mehmet Kazgan
Mehmet Kazgan
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 23, 2014

They are safe, they would not be listed in Marketplace if otherwise. See the requirements here.

https://developer.atlassian.com/display/MARKET/Add-on+approval+guidelines

View More Comments
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
July 23, 2014

To add to that last point - yes, you could write a plugin that makes malicious requests to other servers. But it really would not make it far on the marketplace, and you'd have to have a jira admin who you could fool into uploading malicious software!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Product apps
Apps & Integrations
TAGS
AUG Leaders

Atlassian Community Events

    See all events