Vulnerability disclosure for the Linked SLA Alerts Atlassian Forge app.
Last updated: March 2026
Only the latest published version of Linked SLA Alerts on the Atlassian Marketplace is supported for security fixes and coordinated disclosure. Please ensure you are on the current listing version before reporting.
Send reports only to [email protected] (private email). Do not open public GitHub issues or use a public bug tracker for vulnerability details—we handle reports confidentially through this address. You are not required to publish vulnerabilities.
Email [email protected] with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
- Acknowledge your report within 5 business days
- Provide a status update within 10 business days
- Resolve the issue or formally accept the risk within 30 business days, depending on severity and practical constraints (we will communicate if timelines need to adjust)
We follow coordinated disclosure. Please do not publicly disclose details before a fix is available, unless 90 days have passed without a substantive response from us—in which case you may disclose responsibly. We appreciate working with reporters to protect users.
In scope: Security vulnerabilities in the Linked SLA Alerts Forge app (as distributed via the Atlassian Marketplace).
Out of scope for technical vulnerability reports: The static GitHub Pages site (techcache.github.io) and general use of the support email (e.g. routine support mail handling). If you find something that is clearly abuse of those channels, you may still email [email protected] with a short description.
For a customer-facing security overview (architecture, data handling, incident response), see https://techcache.github.io/security/
The same vulnerability disclosure text is published at https://techcache.github.io/vulnerability-disclosure/ — keep that page and this file in sync when you change policy wording.