HammerR&D for Atlassian JIRA

Architecture Overview

HammerR&D is an Atlassian Forge app — it runs entirely within Atlassian's cloud infrastructure. There are no external servers, no self-hosted backends, and no customer-accessible endpoints outside of the Atlassian ecosystem.

Data Handling

What data the app reads

HammerR&D reads the following JIRA issue fields to perform R&D signal scoring:

• Issue summary and description
• Issue type, labels, and components
• User account ID (for attribution in the issue panel)

Where data is stored

R&D scores and analysis results are stored in Atlassian Forge Storage, which is hosted and managed by Atlassian within your JIRA instance's data residency region. We do not store any JIRA data on external servers.

External data processing

Issue text (summary and description) is sent to the Anthropic Claude API for AI-powered R&D signal analysis. This is the only external data egress. Anthropic processes data in real time and does not retain input data beyond the duration of the API call, per their data retention policy.

Permissions & Least Privilege

HammerR&D follows the principle of least privilege:

• read:jira-work — Read-only access to JIRA issues. The app cannot create, modify, or delete issues.
• storage:app — Read/write access to Forge app storage for persisting R&D scores.
• asApp() only — The app authenticates as itself (app identity), not as individual users. It does not impersonate users or act on their behalf.

The app requests no write permissions to JIRA content, no admin scopes, and no access to user profiles, emails, or personal data.

Secrets Management

• The Anthropic API key is the only third-party credential used by the app.
• It is stored using Forge encrypted variable storage (forge variables set), which encrypts values at rest.
• The key is never exposed in source code, client-side responses, logs, or error messages.
• No Atlassian credentials, personal access tokens, or user passwords are collected or stored by the app.

Input Validation

• All JIRA issue data is type-checked before processing — only expected field types (strings, numbers) are accepted.
• Input is sanitized before being sent to the Anthropic API to prevent prompt injection.
• The app does not render user-supplied HTML or execute dynamic code.

Dependency Management

• Dependencies are kept minimal — only the Forge runtime and @forge/api for REST calls.
• npm audit (SCA scanning) is run before every deployment.
• Critical and high-severity vulnerabilities are resolved before any release to production.
• Most recent scan: 0 vulnerabilities (March 23, 2026).

Vulnerability Management

We follow Atlassian's Marketplace Security Bug Fix Policy with the following response times:

Incident Response

In the event of a security incident affecting HammerR&D:

1. Identification & Containment: Detect, classify, and isolate affected components immediately.
2. Investigation: Determine root cause, affected data scope, and blast radius.
3. Customer Notification: Affected customers notified within 72 hours of a confirmed breach.
4. Atlassian Notification: Marketplace team notified per the Marketplace Incident Notification Policy.
5. Remediation: Patch deployed and verified before closing the incident.
6. Post-Mortem: Root cause documented, controls updated to prevent recurrence.

Logging & Monitoring

• The app uses Forge's built-in logging for error tracking and debugging.
• Logs do not contain JIRA issue content, user credentials, or API keys.
• No log data is exported outside of the Atlassian Forge environment.

Report a Security Issue

If you discover a security vulnerability in HammerR&D, please report it responsibly: