RFC-124: Evolving the Marketplace Trust Program

In the grand scheme of things, the A4A requirements look achievable. Some questions remain around what verification/enforcement looks like in practice. If it’s just a checkbox, that’s fine with us. If we have to implement performance testing frameworks, then the impact would be much worse.

1.12 is a problem for us.

1.12 All outbound (egress) domains must be explicitly listed to prevent unrestricted network access.

Our Connect and Forge app versions allow project admins to establish an OAuth connection to an external system. This mechanism relies on the “Allow for popups from frames” permission, which is required to implement a secure industry-standard OAuth flow experience (explanation here: Forge router.open does not allow access to originating window via Window.opener).

Would exceptions on certain requirements with reasonable justification be accepted?

Yes, for us, a more coordinated, budget-friendly approach to penetration testing is a welcome direction. We decided not to contract external pen testing for SOC2 because unauthenticated (black-box) testing typically starts at $4-5k, and at that price point, it did not make sense for Atlassian apps, which should typically reject almost all unauthenticated traffic (and we were not willing to pay more).