issueboard

Security at issueboard

Your issues describe your product's weaknesses, your customers' problems, and your team's plans. Here is how we protect them — stated plainly, including what we haven't done yet.

Data isolation per organization

Every piece of data in issueboard belongs to exactly one organization, and every API request is scoped to an organization. Access checks are enforced at the API layer on every request — organization scoping is part of the resource path itself, not an implicit header that can be forgotten.

No passwords, ever

issueboard has no password database to breach. Sign-in is exclusively through Google, Microsoft, or GitHub OAuth, which means your account inherits the protections you already have there — including any two-factor authentication you have enabled. Reporters use short-lived magic links sent to their email.

Encryption in transit

All traffic between your browser and issueboard, and between issueboard services internally exposed to networks, is encrypted with TLS. Plain HTTP is not served.

Least-privilege access

Internal services authenticate to each other and to data stores with narrowly scoped credentials. Production access for the team is limited to what operating the service requires, and credentials are stored in a secrets manager, never in code.

Roles limit blast radius

The admin / editor / viewer / reporter model is also a security boundary: only admins manage members, API keys and org settings, reporters can only see and comment on their own reports, viewers cannot modify anything, and per-project permissions are independent of any code or repository access.

Your data stays yours

Issue content is used to run the service for you — nothing else. We do not sell data or mine customer issues. See the privacy policy for the full picture.

An honest note about beta status

issueboard is in public beta. The practices above are how the service is built and operated today, but we have not yet completed a third-party security audit or a SOC 2 / ISO 27001 certification — those come as the product matures toward general availability. If your organization's requirements include certified controls today, we would rather tell you that now than after you have migrated your backlog.

Responsible disclosure

If you believe you have found a security vulnerability in issueboard, please email security@issueboard.dev with enough detail to reproduce the issue. We commit to acknowledging reports quickly, keeping you informed while we investigate, and crediting you (if you wish) once a fix ships. Please give us a reasonable window to fix the issue before public disclosure, and do not access or modify data that is not yours while testing.