Security disclosure principles
🚧 The security disclosure program is currently in open beta
Beta features can change during the beta period. You may experience bugs or performance issues during this time.
This page includes:
- General security recommendations for plugins and widgets
- The questions and passing criteria for the voluntary security disclosure form
Data security recommendations
Protect users
Protecting users and user data is critical. Plugins and widgets must protect user data in the following ways:
- If a plugin or widget requires a user to authenticate, it should use a trusted security provider or method such as Auth0 or OAuth 2.0.
- If Personal identifiable information (PII) and user data derived from the Figma APIs must be sent outside Figma, you need to be transparent with your users and comply with all disclosure requirements under applicable law.
- If a plugin or widget must store data, where possible, the storage features provided by Figma should be used.
Use HTTPS
All network requests made from a plugin or widget to an external server should use HTTPS. Plugins and widgets should never use HTTP for network requests from Figma.
Restrict network access
Plugins and widgets should restrict ‌network access to only the domains that are required for the plugin or widget to run.
Questions and disclosure principles
Question | Applied principle |
---|---|
1. Do you host a backend service for your plugin or widget? |
|
1b. Do you have a publicly documented process for managing security vulnerabilities in the service(s) you host? For example, see Figma’s security vulnerability process. |
|
1c. Are you accredited to any relevant security standards (for example, SOC 2, PCI DSS, HITRUST, ISO27001, and SSAE 18)? |
If the plugin or widget sends data derived from Figma's APIs to an external backend, the developer must identify and provide documentation of the security standards that are met. |
2. Does your plugin or widget make network requests with services you don’t host? |
Ideally, the plugin or widget does not make any network requests. If network requests are made, no data derived from Figma's APIs is sent in the requests. If the plugin or widget makes network requests that send data derived from the Figma APIs, the developer must describe why the data is required. |
3. Does your plugin or widget have user authentication? |
|
3b. Describe how you keep user credentials secure (for example, credential storage, password constraints, verification systems, etc.) |
If the plugin or widget hosts its own authentication service, the developer must describe how user credentials are secured. |
4. Do you store any data read or derived from Figma’s plugin or widget API? |
Ideally, the plugin or widget doesn't store any data derived from the Figma APIs, or uses the storage options provided by Figma. |
4b. Please describe how and where this data is stored |
|
4c. Describe who can access this data and any relevant data handling policies |
|
5. How do you manage updates to your plugin? |
|