Security Policy

At TMAN Consulting, we take security seriously. This policy outlines how we handle security concerns for our Atlassian apps.

🔐 Data Security

• All configuration data and credentials are securely stored using **Atlassian Forge’s encrypted storage APIs**.
• No customer data is processed or stored outside Atlassian infrastructure.
• OAuth tokens and integration secrets are never logged or transmitted in plaintext.

🐞 Reporting a Security Vulnerability

If you believe you’ve discovered a vulnerability in any of our apps or services, we encourage responsible disclosure. Please contact us at:

📧 Email: will.shi@tman.ltd

When reporting, please include:

• A clear description of the vulnerability
• The affected app or feature
• Steps to reproduce (if applicable)

We will acknowledge your report within 2 business days, and aim to resolve verified issues within 30 days.

📦 Vulnerability Handling Process

• All reports are triaged confidentially and assessed for severity
• We follow responsible disclosure practices and do not share issues publicly before a fix is available
• Fixes are deployed using Atlassian Forge’s secure release system
• Affected customers will be notified if action is required

🤝 Responsible Disclosure

We appreciate researchers and users who follow responsible disclosure principles and report issues to us privately. We do not pursue legal action against those acting in good faith.