Vivid Trace 2025.1 Security

This document details security considerations specific to this release of the Vivid Trace software, version 2025.1.

Note: While this document details security information specifically regarding version 2025.1 of the Vivid Trace software, the security-oriented information in Legal notices is updated as necessary at points in time after the release of this version. Taken together, this document and the applicable Legal Notices comprise the overall security stance of Vivid Inc. and its products and services. Future readings of the overall security stance represent the best information available at those given points in time.

This document covers the following topics:

• Principles
• Software Components
• Telemetrics and Calling Home
• Enforcement of the Host Application Security Model
• Limitations

Principles

Host platform systems like Atlassian Jira are configured according to security requirements that draw from a spectrum of needs, including locked-down systems in behind-the-firewall, offline environments, and open issue trackers that encourage public signup and publish nearly all ticket information. Vivid Trace is designed to mesh with your security requirements and enforce the host application's security model, while still maintaining good overall security practices, such as minimizing leakage of information.

Software Components

Vivid Trace is add-on software that is distributed as a single file and installed into your host platform system like Atlassian Jira. A fully-functional installation of the Vivid Trace software product is comprised solely of this one add-on software file and of nothing else, mandatory or optional, such as additional software or online services.

Vivid Trace is designed to perform all critical functionality under the assumption that the host system has been disconnected from the Internet. As a convenience, the add-on software provides hyperlinks within the user interface that lead to documentation and other resources on Vivid's website using the HTTPS protocol. For more information about the security aspects of this functionality please refer to the Privacy Notice.

Telemetrics and Calling Home

As a strict rule, Vivid Trace does not perform any telemetry at all and does not contain code that calls home. Packaged library dependencies have not been completely audited for such behavior, however Vivid Trace takes steps to ensure that their APIs are used in a non-networked manner only.

Enforcement of the Host Application Security Model

Vivid Trace is expressly designed to honor and enforce the security settings in your host application system according to the observed and documented behavior of Atlassian Confluence and Atlassian Jira. As feasible, the security mechanisms that Vivid Trace enforces include, but are not limited to, project permissions, issue-level security schemes, authentication status including anonymous access, and the security of JQL query content.

Limitations

On Atlassian platforms, when working with issue security schemes, consider the limitations noted in Atlassian's issue tracking systems (partial list): JRASERVER-38511.