Git Integration for Jira Server/Cloud
Security

Security

BigBrassBand markets two types of applications on the Atlassian Marketplace:

  1. Cloud
  2. Self-hosted (Server and Data Center)

The following applies only to our Cloud products:

Hosting

  • We host our Cloud applications at Amazon Web Services.
  • Customer data is separate – there's no "common" store of Git data.
  • Data is encrypted in transit and at rest (using Amazon Web Services EBS features for this).
  • We use AWS security tools to inspect and audit.

Data

  • Only officers of BigBrassBand have access to customer data or can temporarily grant access to customer data to staff for support/operations issues.
  • Retention of backups: 7 days that are also encrypted at rest.
  • If you cancel your subscription or trial without deleting data ahead of time, then the data will persist for ~20 days before it is automatically reaped.  That is a buffer to let people have time to resubscribe without having to re-setup connections (like a credit card expiration issue gone long).
  • If you delete the repository connections before ending trial or unsubscribing, then they're removed from EBS immediately and then age out of the 7-day backup.

Communication of Security Advisories

When a critical severity security vulnerability in a BigBrassBand product is discovered and resolved, BigBrassBand will inform customers through the following mechanisms:

  • We will post a security advisory on https://bigbrassband.com/security at the same time as releasing a fix for the vulnerability on the Atlassian Marketplace.
  • When a fix for the vulnerability is available on the Atlassian Marketplace – an email will be sent to all add-on watchers with "Security Update" in the email subject line.  To receive this email and new version announcements, you must "Watch" the Git Integration for Jira" add-on via Jira Administration > Manage add-ons > scroll to Git Integration for Jira.  Customers can also "Watch" from the Marketplace listing: https://marketplace.atlassian.com/plugins/com.xiplink.jira.git.jira_git_plugin/cloud/overview.

Reporting Vulnerabilities

To report a security vulnerability in our products, email us at security@bigbrassband.com. Thank you in advance!

When a critical security issue is discovered or reported, BigBrassBand will include the fix in the next scheduled maintenance release.

Customers should upgrade to a newer version in order to fix the vulnerability.