What is Comment Security Default for Jira?

Comment Security Default is a Jira plugin that sets the default visibility level for new comments, attachments, work logs, issue links, edits, and workflow transitions. Instead of relying on users to remember to restrict each comment, the right default is applied automatically — by user group, project role, project, or workflow transition. It runs on Jira Data Center today, with a Cloud Forge-native version in development.

Why is Jira's default comment behaviour a problem?

By default, every Jira comment is visible to all users with access to the issue. A user who forgets to set the security level on a sensitive comment leaks it to everyone with issue access. Comment Security Default flips the failure mode: the safe default is set automatically. Users have to actively change it to make a comment more visible, not less.

Can I set different comment defaults per project or per user group?

Yes. Configurations can be global or per-project, and each configuration can target specific user groups. Project configurations are checked first, then global ones. If a user belongs to a group with its own configuration, that configuration is used; otherwise the default configuration applies. Multiple configurations per scope are supported.

Does Comment Security Default work with Jira Service Management?

Yes. Enable 'Security Defaults for Service Desk' to apply defaults to JSM projects. JSM-specific options include always showing the Customer tab, swapping the order of Customer and Internal tabs, renaming the comment author in the customer portal, and using standard Jira comment fields instead of customer/internal tabs.

Comment Security Default — Overview

Q: Is there a free trial for Comment Security Default?

Yes — Comment Security Default has a free trial on the Atlassian Marketplace. Pricing is set by Atlassian and tiers by Jira user count; the current tier table is always shown on the live Marketplace listing.

Buy Now ↗ Explore the User Guide →

What Comment Security Default does

In native Jira, the comment-security drop-down defaults to “Viewable by all users”. Every time someone writes a comment, they have to remember to change that drop-down if the comment is sensitive. If they forget — and people do forget — the comment is public to everyone with issue access.

That’s a fail-open design. It puts the burden of getting security right on every user, on every comment, every time. For most teams that’s wrong; for regulated teams, customer-facing teams, or anything touching legal/HR/financial data it’s a quiet, ongoing leak.

Comment Security Default flips it to fail-closed. A Jira administrator configures the safe default — by group, by role, by project, or by workflow transition — and that default is applied automatically. Users have to actively make a comment more visible, not less. The most common configuration mistake (forgetting to restrict) becomes impossible.

Comment Security Default currently runs on Jira Data Center. A Cloud Forge-native version is in active development and expected on the Marketplace shortly.

Key features

Default security level for everything. New comments, attachments, work logs, issue links, edits, and even workflow transitions all get a configurable default visibility.
By group, by role, by project, by transition. Configurations can target Jira user groups, project roles, individual projects, or specific workflow transitions. The plugin walks the configurations in order and applies the first match.
Multiple configurations per scope. Define many configurations side-by-side — for example, “support team gets internal-only by default; engineering team gets visible-to-all by default; everyone else gets visible-to-engineering by default”.
Global + project-level scope. Project configurations override global ones for that project. Use global config for sitewide policy plus per-project overrides where teams need different defaults.
Service Desk / JSM support. Always show the Customer tab on JSM tickets, swap the order of Customer and Internal tabs, rename the comment author shown to customers, or fall back to standard Jira comment fields instead of customer/internal tabs.
Color-coded comment fields. Highlight comment input fields with custom background and border colours depending on whether the comment will be public or restricted. The user sees, before clicking Save, whether the comment is internal or external.
Per-transition defaults. Set a different default at each workflow transition — for example, “comments added during the Review transition default to Reviewers-only”.
Works on Service Desk and Jira Agile. Full support for both, plus standard Jira Software, Business, and Service Management projects.

What teams use Comment Security Default for

Regulated industries (finance, healthcare, government). Default comment visibility for clinical/financial/legal context defaults to a restricted group. Users have to actively choose to make something visible to a wider audience — and that choice is now an explicit decision rather than an oversight.
JSM customer-facing teams. Tickets default to “internal” comments so engineers don’t accidentally post raw debug output where the customer can see it. The Customer tab is always visible so customer-facing replies are still one click away.
Legal and HR. Sensitive case notes default to a small group; “share with the wider team” is an explicit, deliberate action.
Multi-tenant / MSP environments. Configurations per project mean Customer A’s comments default to Customer A’s group, and Customer B’s project has its own default — no cross-tenant comment exposure.
External contractors / vendors. Whichever projects external collaborators have access to, default the comment visibility to “internal team” so the default direction is “keep this in” rather than “let it out”.
Workflow review steps. Comments added during a Review or Approval transition default to the reviewer group, not to all users — preventing draft review notes from being visible before the decision is final.

Why customers choose Comment Security Default

Fail-closed instead of fail-open. The single largest source of accidental information disclosure in Jira (forgetting to restrict a comment) becomes structurally impossible.
No retraining required. Users don’t change how they work — the right default just happens. Behaviour change is on the configuration side, not on every team member.
Per-group, per-project, per-transition. Tuned to the exact policy a team needs, not a single sitewide setting.
Visual confirmation before save. Color-coded comment fields tell users instantly whether the comment is going to be public or restricted — before they hit Save.
JSM-aware. Customer-tab / internal-tab handling is built in. No separate configuration for service-management projects.
No measurable performance impact. The plugin only acts at comment creation / edit / transition time.
Long track record. On Marketplace for many years with strong reviews from regulated-industry customers.

How Comment Security Default compares

Capability	Comment Security Default	Native Jira	Manual policy + training
Default visibility for new comments	✓	“Visible to all” hard-coded	n/a (relies on user memory)
Per-group defaults	✓	✗	n/a
Per-project defaults	✓	✗	n/a
Per-workflow-transition defaults	✓	✗	n/a
Defaults for attachments, work logs, links, edits	✓	✗	n/a
Color-coded comment fields	✓	✗	n/a
JSM customer/internal tab handling	✓	Partial	n/a
Reduces risk of accidental disclosure	✓	✗	Partial

Rule of thumb. Any team where the cost of an accidentally-public comment is higher than the cost of an accidentally-restricted comment should run Comment Security Default. That includes essentially every regulated, customer-facing, legal, HR, or security-conscious team.

Free trial and pricing

Comment Security Default has a free trial on the Atlassian Marketplace. Pricing is set by Atlassian and tiers by Jira user count — see the live tier table on the Marketplace listing.

Start free trial ↗ Read the user guide →

Security and platforms

Comment Security Default currently runs on Jira Data Center, with all data stored inside your Jira instance — no third-party servers in the data path. A Forge-native Cloud edition is in active development and expected on the Marketplace shortly. Full details are in the Cloud Security Statement.

Book a demo

Want a walkthrough of Comment Security Default tailored to your team’s compliance or JSM workflow? Get in touch via the Contact Us page and we’ll set up a live demo.