DugganUSA LLC is a cybersecurity company based in Minnesota that builds AI-powered threat intelligence tools. Our platform indexes over 1 million indicators of compromise (IOCs), 400,000+ DOJ Epstein documents, and provides a free STIX 2.1 threat feed consumed by Fortune 500 companies and defense contractors.

Butterbot is DugganUSA's AI-powered security chatbot with 40+ tools for searching IOCs, correlating threat indicators, traversing threat graphs, analyzing behavioral patterns, and running CARVER risk assessments. It uses OpenAI function calling with Meilisearch-backed indexes.

What is AIPM (AI Presence Management)?

AIPM is a tool that audits how AI models (GPT, Claude, Gemini, Perplexity) perceive and recommend your brand. It calculates an AIPM-NPS score by directly querying AI models, analyzes your website structure for AI crawler readiness, and provides optimization recommendations. Think 'SEO for the LLM era.'

Is the Epstein Files search free?

Yes. The Epstein Files Search at epstein.dugganusa.com offers a free tier with 500 queries per day. It covers all 12 DOJ EFTA datasets (400K+ documents), 2M+ ICIJ offshore entities, and 2M+ federal decisions. Professional and enterprise tiers are available for researchers and journalists needing higher limits.

Who founded DugganUSA?

DugganUSA was founded by Patrick Duggan on December 1, 2025, in Minnesota. Patrick's background includes Dell EMC, Palo Alto Networks, and embedded work at Microsoft on JEDI/Azure Stack. The company's D-U-N-S number is 14-363-3562.

What is the DugganUSA STIX feed?

DugganUSA operates a free STIX 2.1 threat intelligence feed at analytics.dugganusa.com/api/v1/stix-feed. It contains 1M+ indicators of compromise including botnet C2s, malicious IPs, and attack infrastructure. The feed is TAXII 2.1 compliant and is consumed by major organizations including Microsoft, AT&T, Amazon, and defense contractors.

How to Review OAuth in Atlassian Products Without Losing Your Sanity

Patrick Duggan
Aug 27, 2025
2 min read

How to Review OAuth in Atlassian Products Without Losing Your Sanity

OAuth: the protocol that lets apps ask nicely for access to your data—without handing over the keys to the kingdom. It’s brilliant, secure, and occasionally a bit of a maze. If you're managing Atlassian products, reviewing OAuth configurations is not just good hygiene—it’s essential.

Let’s walk through how to audit OAuth settings across Atlassian’s ecosystem with clarity, precision, and confidence.

OAuth Review Checklist for Jira & Confluence (Cloud)

• Access OAuth Settings

Navigate to: Admin → Manage Apps → OAuth Credentials

• Review Active Tokens

Look under Connected Apps and OAuth Consumers to see which apps are currently authorized.

• Audit Scopes

Examine each app’s requested scopes. Are they broader than necessary?

• Revoke Unused Tokens

Remove apps that are no longer in use or show suspicious activity.

• Check App Source

Confirm whether the app is from the Atlassian Marketplace or custom-built.

⸻

OAuth Review Checklist for Bitbucket (Cloud)

• Navigate to OAuth Settings

Go to: Personal Settings → OAuth

• Review OAuth Consumers

Identify which apps have access to your repositories.

• Validate Permissions

Ensure each app only has the permissions it truly needs.

• Rotate Secrets

Periodically rotate client secrets for custom apps to maintain security.

• Monitor Usage

Use audit logs to track token usage and detect anomalies.

⸻

OAuth Review Checklist for Atlassian Server/Data Center

• Check Application Links

Navigate to: Admin → Application Links

• Validate OAuth Configuration

Confirm that OAuth is enabled and functioning correctly (not just basic auth).

• Review Trusted Apps

Ensure only necessary apps are linked and trusted.

• Test Token Exchange

Use built-in diagnostics to verify that token exchange is working as expected.

• Document Everything

Keep a record of configurations for audits and future reference.

⸻

Common Pitfalls and How to Fix Them

• Overly Broad Scopes

Limit scopes to only what’s needed for the app’s functionality.

• Forgotten Integrations

Set calendar reminders to review OAuth configurations quarterly.

• No Logging

Enable audit logs and monitor them regularly.

• Hardcoded Secrets

Use secret managers or environment variables instead of hardcoding credentials.

OAuth may be secure by design, but in practice, it’s only as strong as the configurations behind it. Whether you're managing Jira, Confluence, Bitbucket, or a self-hosted Atlassian stack, reviewing OAuth settings isn’t just a checkbox—it’s a habit. By auditing scopes, rotating secrets, and documenting integrations, you’re not just protecting data—you’re reinforcing trust across your ecosystem. And while the process may feel tedious at times, it’s far less painful than explaining a breach that started with a forgotten token. Stay curious, stay paranoid, and keep your OAuth house in order.