If you find a security bug in JIRA
Open an issue on http://jira.atlassian.com in the JIRA project.
- Set the priority of the bug to "Blocker".
- Provide as much information on reproducing the bug as possible.
- Set the security level of the bug to "Developer and Reporters only".
All communication about the vulnerability should be performed through JIRA, so we can keep track of the issue and get a patch out as soon as possible.
JIRA Security Advisories
When a security issue in JIRA is discovered and resolved, we will inform customers through the following mechanisms:
- A security advisory will be posted on this page.
- A copy of the advisory will be sent to the jira-users and jira-announce mailing-lists (subscribe here). These lists are mirrored on our forums.
- If the person who reported the issue wants to publish an advisory through some other agency (for example, CERT), we'll assist in the production of that advisory, and link to it from our own.
Our Patch Policy
When a security issue is discovered, we will endeavour to:
- issue a new, fixed JIRA version as soon as possible.
- issue a patch to the current stable version of JIRA.
- issue patches for older versions of JIRA if feasible.
Patches will generally be attached to the relevant JIRA issue. |
Security Advisories
Related Documents
|
Security Advisories
