Are Confluence & Jira Plugins Safe? Security FAQ
Atlassian Marketplace offers thousands of plugins for Confluence, Jira, and other Atlassian products. While these apps can dramatically extend what your teams accomplish, every plugin you install introduces a third-party component into your environment. For organizations handling sensitive project data, customer information, or internal knowledge bases, understanding plugin security is not optional — it is a core part of your governance and risk management strategy.
This FAQ walks through the most common security questions administrators and security teams ask when evaluating, installing, and managing Atlassian Marketplace apps. Each section provides concrete steps you can take to reduce risk and make informed decisions.
How do I evaluate a Confluence or Jira plugin's security?
Evaluating a plugin before installation is the single most important step you can take. Start by researching the vendor's reputation on the Atlassian Marketplace. Look at the number of installations, customer reviews, how long the vendor has been active, and whether they respond to support requests in a timely manner. A vendor with a long track record and active engagement is generally a safer bet than a newly listed app with no reviews.
Next, check whether the vendor publishes a dedicated security policy page. A transparent security policy signals that the vendor takes security seriously and has formal processes in place. Examine the permissions the app requests during installation. Atlassian's permission model requires apps to declare the scopes they need, such as read access to Confluence pages or write access to Jira issues. If an app requests permissions that seem excessive for its stated functionality, treat that as a warning sign.
Whenever possible, look for apps that make their source code available for review or that have published third-party security audit reports. The Atlassian Marketplace also indicates whether an app has achieved Cloud Fortified status, which means the vendor has met Atlassian's additional security and reliability requirements. NGPILOT publishes a security policy and all NGPILOT apps follow Atlassian's security requirements for Cloud Fortified compliance.
What is the principle of least privilege for Atlassian apps?
The principle of least privilege means granting an application only the minimum permissions it needs to perform its intended function. When you install a plugin, Atlassian shows you the scopes the app is requesting. Before clicking approve, ask yourself whether each scope is truly necessary. A macro that displays task lists, for example, should not need administrative access to user management.
Avoid installing apps that request global admin scope unless there is a clear and compelling reason. Global admin permissions give an app broad access across your entire instance, which significantly increases the potential impact if something goes wrong. Instead, look for apps that use fine-grained scopes aligned to their specific features.
You can review and manage installed app permissions through the Universal Plugin Manager (UPM) in your Atlassian administration console. The UPM shows which scopes each app has been granted and allows you to disable apps that seem overprivileged. Make it a regular practice to audit app permissions, especially after major updates or organizational changes. Most NGPILOT apps request only the specific scopes they need — for example, read access to page content for search features, or write access to specific entity properties for configuration storage — rather than broad administrative scopes.
Should I be concerned about data residency with plugins?
Data residency is a critical consideration, particularly for organizations subject to regulations like GDPR, CCPA, or industry-specific compliance requirements. When you install a plugin, you need to understand where your data flows and where it is stored or processed. There are three common models: the app runs entirely within Atlassian's Cloud infrastructure, the app sends data to the vendor's own servers, or the app operates on-premise in your own data center.
Apps built using Atlassian's Forge platform run within Atlassian's own infrastructure and are subject to Atlassian's data residency and compliance controls. Connect-based apps, on the other hand, may transmit data to external servers operated by the vendor. Always review the vendor's privacy policy to understand how data is collected, stored, processed, and eventually deleted. Pay attention to where the vendor's servers are located and whether they support data residency restrictions for specific regions.
NGPILOT apps are designed to run within Atlassian's infrastructure and follow Atlassian's data residency requirements, which means your data does not leave the Atlassian Cloud environment. This approach reduces the attack surface and simplifies compliance audits because you can rely on Atlassian's existing compliance certifications rather than evaluating a separate vendor's infrastructure.
How do I check if a plugin vendor has a vulnerability disclosure program?
A mature vulnerability disclosure program is a strong indicator that a vendor takes security seriously. Start by looking for a dedicated security contact email or a security policy page on the vendor's website. This page should describe how security researchers and customers can report vulnerabilities, what the vendor's response timeline looks like, and whether they offer a bug bounty program.
Responsible disclosure is the industry standard approach. Under this model, the researcher reports the vulnerability privately, gives the vendor a reasonable timeframe to fix it, and only publishes details after a patch is available. Vendors who follow this practice and publish CVE (Common Vulnerabilities and Exposures) information demonstrate transparency and accountability. You can search public CVE databases for a vendor's name to see their disclosure history.
Vendors with a bug bounty program go a step further by actively incentivizing the security community to find and report vulnerabilities before malicious actors can exploit them. When evaluating a vendor, check whether they list their security practices on their Atlassian Marketplace vendor page and whether their apps carry Cloud Fortified status, which requires adherence to specific security practices. NGPILOT maintains a published security policy with clear contact information and follows responsible disclosure practices.
Why is it important to keep Confluence and Jira apps updated?
App updates are not just about new features. A significant portion of updates released by responsible vendors contain security patches that address vulnerabilities discovered since the last release. Running outdated apps leaves your instance exposed to known vulnerabilities that attackers can exploit, sometimes within days of a public disclosure.
Make it a habit to monitor release notes for the apps you have installed. Most vendors tag security fixes clearly in their changelogs. Atlassian Marketplace sends notifications to administrators when updates are available, and you can configure email preferences to ensure security-related updates are not missed. Where available, enable automatic updates so that critical patches are applied without delay. This reduces the window of exposure between when a vulnerability is disclosed and when your instance is patched.
For larger organizations, consider establishing a regular update cadence. For example, review and apply updates on a weekly or biweekly schedule, with an expedited process for critical security patches. Keep a record of which app versions are installed and when they were last updated. This documentation is valuable during security audits and compliance reviews.
Should I test plugins in a staging environment first?
Testing new plugins in a staging or sandbox environment before deploying to production is a best practice that can save your team significant headaches. A staging environment that mirrors your production setup allows you to evaluate how a plugin behaves with your specific configuration, customizations, and existing apps without risking disruption to your users.
During staging testing, verify that the plugin works correctly with your current version of Confluence or Jira. Check that the plugin does not introduce performance degradation, especially if your instance handles large volumes of data or concurrent users. Test the permission configurations to ensure the app operates within the expected scopes and does not overreach. Pay particular attention to potential conflicts with existing apps — two plugins that modify the same part of the interface or rely on the same data structures can sometimes interfere with each other.
Document your testing process and results. This creates a repeatable evaluation framework your team can use for future plugin evaluations. If a plugin passes staging tests and is promoted to production, keep the staging environment updated with the same plugin versions so you can pre-test future updates before rolling them out.
Plugin security evaluation checklist
Use this checklist when evaluating any Atlassian Marketplace plugin before installation.
| Check | What to Look For | Red Flags |
|---|---|---|
| Vendor reputation | Long Marketplace history, many installations, positive reviews, active support | New vendor with no reviews, unresolved support tickets, abandoned apps |
| Security policy | Published security page, vulnerability disclosure process, security contact | No security policy, no way to report vulnerabilities, vague security claims |
| Permissions and scopes | Minimal scopes matching app functionality, clear justification for each scope | Global admin scope for simple features, broad read/write access beyond stated purpose |
| Data handling | Privacy policy with clear data processing details, data stays in Atlassian infrastructure | Data sent to unknown third-party servers, no privacy policy, unclear data retention |
| Cloud Fortified status | App listed as Cloud Fortified on Marketplace, meets Atlassian's reliability bar | No Cloud Fortified status, no participation in Atlassian security programs |
| Update history | Regular updates, documented release notes, timely security patches | Infrequent updates, no changelog, long gaps between releases |
| Compliance | SOC 2, GDPR, or other relevant certifications documented | No compliance information, vague claims without evidence |
| Source code transparency | Public source code repository, third-party audit reports available | Closed source with no audit trail, refusal to share security practices |
What Cloud Fortified means
Cloud Fortified is an Atlassian program that recognizes apps meeting additional standards for security, reliability, and support. When you see the Cloud Fortified badge on a Marketplace listing, it means the vendor has gone through a structured assessment process and committed to practices that protect customer data and ensure app reliability.
To achieve Cloud Fortified status, a vendor must meet several requirements. Their app must use Atlassian's latest development platform, which provides better security isolation and infrastructure controls. The vendor must demonstrate responsible vulnerability management, including timely patching and transparent disclosure. They must maintain a minimum level of support responsiveness, ensuring customers can get help when they need it. The app must also meet specific uptime and reliability targets, reducing the risk of outages that affect your workflows.
Cloud Fortified apps are also required to participate in Atlassian's bug bounty program, which means they are continuously tested by security researchers. For administrators, choosing Cloud Fortified apps simplifies the evaluation process because Atlassian has already verified many of the security and reliability checks that you would otherwise need to perform yourself. NGPILOT apps are built to meet Cloud Fortified standards, providing an additional layer of confidence for security-conscious organizations.