Backlog Hygiene for Jira Support & Security

Public Contact

• Primary support URL: The published support and security page is the primary Marketplace-facing support URL for the current founder-operated release stream.
• Security reports: Use the published support URL unless a separate security contact is published later.

Source Policy Text

# Support And Security

Prepared on `2026-03-13` as repo-backed source material for future customer-facing support and security publication. Once rendered and published, the generated `support-and-security.html` page is itself the Marketplace-facing support URL for the current founder-operated release stream.

Use `npm run marketplace:publication -- --base-url <https://docs.example.com/app> --output-dir <dir> [--support-email <addr> | --support-portal-url <url>] [--security-email <addr>]` to render this source document into a hostable support page. Direct support/security contact details are optional enrichments at generation time rather than release blockers.

## Support Coverage Baseline

- Support owner for the current release stream: `Akrabut`
- Coverage target: first response within `24` hours on weekdays
- Incident ownership and escalation handling are currently single-operator for this release stream

## Severity And Update Cadence

| Severity | Initial Owner | Escalate After | Customer Update Cadence |
| --- | --- | --- | --- |
| SEV-1 | `Akrabut` | 15 min | Every 60 min |
| SEV-2 | `Akrabut` | 60 min | Every 4 hours |
| SEV-3 | `Akrabut` | 1 business day | Daily |
| SEV-4 | `Akrabut` | 2 business days | Weekly |

## Current Support Workflow

- Internal release and operational issues are triaged through the release-owner workflow documented in the Gate C artifacts.
- Incident updates use the prepared communication templates under `docs/operations/reports/communication-templates-2026-03-11.md`.
- Support ownership and escalation posture are documented in:
  - `docs/operations/reports/support-rota-2026-03-11.md`
  - `docs/operations/reports/escalation-matrix-2026-03-11.md`

## Security Posture Snapshot

- The app is Forge-native and the current staging deployment for version `9.7.0` reports Runs on Atlassian eligibility.
- The March 13 security refresh found:
  - no production dependency vulnerabilities
  - no `high` or `critical` vulnerabilities anywhere in the dependency graph
- Accessibility readiness and English-only localization baseline evidence are present for the current release stream.

## Vulnerability Handling

- Security ownership for the current release stream is assigned to `Akrabut`.
- Security-response workflow and Marketplace-aligned readiness expectations are documented in `docs/guides/ENTERPRISE_PRODUCTION_READINESS.md`.
- The current internal handling route references Atlassian/ECOHELP and the repo-backed release workflow; a separate public customer-facing vulnerability intake endpoint remains optional and can be added later if the final listing posture requires it.

## Publication Gap

- The generated support/security page still needs to be published at a customer-visible URL before Marketplace submission.
- Optional direct support/security contact details may still be added at publication time, but they are no longer required to publish the support URL itself.

## Evidence Basis

- `docs/operations/reports/support-rota-2026-03-11.md`
- `docs/operations/reports/escalation-matrix-2026-03-11.md`
- `docs/operations/reports/communication-templates-2026-03-11.md`
- `docs/operations/reports/security-scan-2026-03-11.md`
- `docs/operations/reports/accessibility-audit-2026-03-11.md`
- `docs/operations/reports/i18n-coverage-2026-03-11.md`
- `docs/guides/ENTERPRISE_PRODUCTION_READINESS.md`