Vivid Trace 2021.1 Security

This document details security considerations specific to this release of the Vivid Trace software, version 2021.1.

Note: While this document details security information specifically regarding version 2021.1 of the Vivid Trace software, the security-oriented information in Legal Notices is updated as necessary at points in time after the release of this version. Taken together, this document and the applicable Legal Notices comprise the overall security stance of Vivid Inc. and its products and services. Future readings of the overall security stance represent the best information available at those given points in time.

This document covers the following topics:

Principles

Jira systems are configured according to security requirements that draw from a spectrum of needs, including locked-down systems in behind-the-firewall, offline environments, and Open Source Software issue trackers that encourage public signup and publish nearly all ticket information. Vivid Trace is designed to mesh with your security requirements and enforce the host application's security model, while still maintaining good overall security practices, such as minimizing leakage of information.

Software Components

Vivid Trace is add-on software that is installed into your Jira system, and is distributed as a single file, properly-formed in the Atlassian Jira add-on file format. A total and fully-functional installation of the Vivid Trace software product is comprised solely of this one add-on software file and of nothing else, mandatory or optional, such as additional software or online services.

Vivid Trace is designed to perform all critical functionality under the assumption that Jira has been disconnected from the Internet. As a convenience, the add-on software provides hyperlinks within the user interface that lead to documentation and other resources on Vivid's website using the HTTPS protocol. For more information about the security aspects of this functionality please refer to the Privacy Notice.

Telemetrics and Calling Home

As a strict rule, Vivid Trace does not perform any telemetry at all and does not contain code that calls home. Packaged library dependencies have not been completely audited for such behavior, however Vivid Trace takes steps to ensure that their APIs are used in a non-networked manner only.

With respect to the versions of Confluence and Jira supported by this release of Vivid Trace, the Atlassian Universal Plugin Manager is known to (attempt to) send to Atlassian information that reveals the existence of your host application and installed add-ons, in part to be able to inform you when newer releases of Vivid Trace are available. Specifically, installing Vivid Trace into your Confluence or Jira system or performing other such operations related to the management of add-ons in general may induce your system to attempt to call home to Atlassian, carrying information that reveals the existence of and potentially identifying your system and/or Vivid Trace. For further information, please examine your agreements with Atlassian.

Enforcement of the Host Application Security Model

Vivid Trace is expressly designed to honor and enforce the security settings in your host application system according to the observed and documented behavior of Confluence version 7.4+ and Jira version 9.4+. As feasible, the security mechanisms that Vivid Trace enforces include, but are not limited to, project permissions, issue-level security schemes, authentication status including anonymous access, and the security of JQL query content.

Limitations

When working with issue security schemes, consider the limitations noted in Atlassian's issue tracking systems (partial list): JRASERVER-38511 .