Security & Vulnerability Disclosure — Smart Metrics AI

This page describes the security posture of Smart Metrics AI, how to report a vulnerability, and how we respond to security incidents. It complements our Privacy Policy and Terms of Service.

1. Security Posture

Smart Metrics AI is a pure Atlassian Forge app. This shapes our entire security model:

• No external infrastructure. There are no app-owned servers, databases, or third-party backends. All backend logic runs in Atlassian-managed Forge Functions.
• Your data stays in your tenant. All data is stored in Forge Entity Storage / KVS, scoped to your Atlassian site and encrypted at rest by Atlassian.
• No data exfiltration. The app makes no backend network calls. The only external resources are Google Fonts for UI rendering, which transmit no user or issue data.
• Read-only Jira access. We request only the minimum scopes required and never write to your Jira data.
• AI within Atlassian. AI coaching uses the Atlassian-hosted Forge LLM / Rovo. Only aggregated metric values are processed — never raw issues, comments, or PII.

2. Reporting a Vulnerability

If you believe you have found a security vulnerability in Smart Metrics AI:

1. Do not post exploit details in a public issue.
2. Email support@smartflowstudio.com.br with the subject line SECURITY.
3. Include a description, affected component, reproduction steps, and any proof-of-concept.

We acknowledge receipt within 2 business days. We also welcome reports through the Atlassian Marketplace Security Bug Bounty Program.

3. Remediation Timelines

We align our fix timelines with the Atlassian Marketplace Security Bug Fix Policy, triaging by CVSS severity:

• Critical (9.0–10.0): within 2 weeks
• High (7.0–8.9): within 4 weeks
• Medium (4.0–6.9): within 6 weeks
• Low (0.1–3.9): within 90 days

4. Incident Response

In the event of a confirmed security incident or data breach, we:

1. Detect & triage — confirm scope and severity and assign an owner.
2. Contain — disable affected functionality or roll back the Forge deployment.
3. Fix — identify root cause and deploy a new validated Forge version.
4. Notify — inform Atlassian and any affected customers without undue delay, including the nature, impact, and remediation of the incident.
5. Review — document a post-incident timeline and corrective actions.

We commit to notifying customers and Atlassian in the event of a critical vulnerability affecting the app.

5. Secure Development

• MFA on our source code management system; production changes go through pull requests.
• Dependency scanning (SCA) via automated npm audit in CI on every change and weekly.
• Development follows OWASP Top 10 guidance.
• Least-privilege Forge scopes; no external API keys or secrets; no secrets in logs.

6. Contact

• Security email: support@smartflowstudio.com.br (subject: SECURITY)
• Public issue tracker: GitHub issues

Smart Metrics AI is an independent app and is not affiliated with or endorsed by Atlassian Pty Ltd.