Git Integration for Jira
Security

Security

BigBrassBand markets two types of applications on the Atlassian Marketplace:

  1. Cloud
  2. Self-hosted (Server and Data Center)

The following applies only to our Cloud products:

Hosting

  • We host our Cloud applications at Amazon Web Services.
  • Customer data is separate – there's no "common" store of Git data.
  • Data is encrypted in transit and at rest (using Amazon Web Services EBS features for this).
  • We use AWS security tools to inspect and audit.

Data

  • Only officers of BigBrassBand and senior Cloud engineering have access to customer data or can temporarily grant access to customer data to staff for support/operations issues.
  • Retention of backups: 7 days that are also encrypted at rest.
  • If you cancel your subscription or trial without deleting data ahead of time, then the data will persist for ~20 days before it is automatically reaped.  That is a buffer to let people have time to resubscribe without having to re-setup connections (like a credit card expiration issue gone long).
  • If you delete the repository connections before ending trial or unsubscribing, then they're removed from EBS immediately and then age out of the 7-day backup.
  • Contact legal@bigbrassband.com to sign a Data Processing Agreement (DPA) with BigBrassBand for any Jira Cloud products.

Security bug bounty program

The BigBrassBand Bug Bounty Program is hosted on Bugcrowd, a SaaS platform built to crowdsource vulnerability discovery from a global pool of talented security researchers.  This on-going program invites security researchers to test for vulnerabilities and get rewarded for their findings.  See report below.

bigbrassband_14-OCT-2020.pdf      View           Download

Communication of Security Advisories

When a critical severity security vulnerability in a BigBrassBand product is discovered and resolved, BigBrassBand will inform customers through the following mechanisms:

Reporting Vulnerabilities

Earlier this year (2020), BigBrassBand LLC has joined the Atlassian Marketplace Bug Bounty program.

To report a security vulnerability in our products, please report your findings via Bugcrowd.  You can also email us at security@bigbrassband.com.  Thank you in advance!

When a critical security issue is discovered or reported, BigBrassBand will include the fix in the next scheduled maintenance release.

Customers should upgrade to a newer version in order to fix the vulnerability.