2025-01 - P1 - Cloud - Posting of internal comments via Teams portal app bot notifications
Summary
Due to a change in our notification infrastructure implemented in November 2024, internal Jira Service Management comments could have been mistakenly sent out via our Teams portal bot to customers of that specific Jira Service Management ticket. This happened for Jira Service Management projects with personal customer notifications and public comment posting enabled. In this case, internal comments could be posted into the personal bot notifications of the reporter and request participants, if they had the JSM portal app installed in Microsoft Teams. Consequently, content written in internal comments composed between November 29, 2024 and January 16, 2025 could be visible to the respective customers with affected configurations.
We sincerely apologize for any disruption or concern this incident may have caused. Our team is taking this matter very seriously, and we are committed to preventing such issues in the future. To that end, we will be enhancing our automatic testing protocols to ensure better detection and prevention of similar problems.
Affected configurations
Jira Service Management Cloud must be in use.
The app Microsoft 365 for Jira or Microsoft Teams for Jira & JSM must be installed.
Personal notifications and public comment posting via the JSM portal app must be enabled in the respective JSM project settings
Reporter & request participants of the request have the JSM portal app installed
Root cause & impact
During the refactoring of personal notifications, a critical check on comment visibility was overlooked. This lead to internal comments being incorrectly sent via personal bot notifications to the reporter & request participants of the request. This may have leaked internal information to the customer users. It’s important to note, that this has only happened to customer users that have the portal app deployed in Microsoft Teams and will not have leaked information to external parties.
Resolution
This issue first arose on November 29, 2024. Upon its discovery on the 16th of January, we identified the cause of the problem and implemented a fix within a few hours.
We sincerely apologize for any disruption or concern this incident may have caused.