This is not likely limited to JIRA. However, there is no Atlassian SDK project in which users have permission to open tickets.

When developing plugins using the SDK, if the standalone server is started using '--server localhost', the service should bind to localhost. It should not be accessible from the network. Regardless of how secure you feel Atlassian's products may be, this is a security risk when developing custom modules.

>>> atlas-run-standalone --server localhost --product jira
...
[INFO] [talledLocalContainer] Tomcat 7.x started on port [2990]
[INFO] jira started successfully in 73s at http://localhost:2990/jira
[INFO] Type Ctrl-D to shutdown gracefully
[INFO] Type Ctrl-C to exit

Then, from another terminal:

>>> netstat -anutp |grep LISTEN
...
tcp6    0    0 :::8009     :::*     LISTEN      32222/java
tcp6    0    0 :::2990     :::*     LISTEN      32222/java
tcp6    0    0 :::35730    :::*     LISTEN      32222/java

None of these sockets should, at this point, be bound to all interfaces.

Furthermore, users on other hosts can, at this point, connect to the listening instance using the default admin/admin credentials.

Many users do not know how to; do not know that they need to; or do not have permission to restrict access to these ports using firewall rules.