Security policy: Tech Cachet

Vulnerability disclosure for all Tech Cachet Atlassian Forge apps (including Audit & Risk Insights, Secrets Finder, and other published tools).

Last updated: April 2026

Supported versions

Only the latest published version of any Tech Cachet app on the Atlassian Marketplace is supported for security fixes and coordinated disclosure. Please ensure you are on the current listing version before reporting.

Reporting a vulnerability

Send reports only to security@techcachet.com (private email). Do not open public GitHub issues, post to a public tracker, or expect a public filing, we treat findings confidentially through this channel. You are not required to publish vulnerability details.

Email security@techcachet.com with:

A description of the vulnerability
Steps to reproduce
Potential impact
Any suggested fixes (optional)

Our response commitment

Acknowledge your report within 5 business days
Provide a status update within 10 business days
Resolve the issue or formally accept the risk within 30 business days, depending on severity and practical constraints (we will communicate if timelines need to adjust)

Disclosure policy

We follow coordinated disclosure. Please do not publicly disclose details before a fix is available, unless 90 days have passed without a substantive response from us, in which case you may disclose responsibly. We appreciate working with reporters to protect users.

Scope

In scope: Security vulnerabilities in any Tech Cachet Forge app (as distributed via the Atlassian Marketplace).

Out of scope for technical vulnerability reports: The static GitHub Pages site (techcachet.com) and general use of the support email (e.g. routine support mail handling). If you find something that is clearly abuse of those channels, you may still email security@techcachet.com with a short description.

Contact

security@techcachet.com

For a customer-facing security overview (architecture, data handling, incident response), see Security Overview.

← Tech Cachet home