Product Security Patch Policy
Atlassian makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in Atlassian products.
This page describes when and how we release security patches and security upgrades for our products. It does not describe the whole of disclosure process that we follow. This policy excludes OnDemand and Bitbucket, since these services are always patched by Atlassian without additional notifications.
When a Critical security vulnerability is discovered by Atlassian or reported by a third party, Atlassian will do all of the following:
- Issue a new, fixed release for the current version of the affected product as soon as possible, usually in a few days.
- Issue a binary patch for the current release.
- Issue a binary patch for the latest maintenance release of the previous version of the product.
- Patches for older versions or releases normally will not be issued.
Patches will be attached to the relevant JIRA issue. You can use these patches as a "stop-gap" measure until you upgrade your installation in order to fully fix the vulnerability.
When a security issue of a High, Medium or Low severity is discovered, Atlassian will do all of the following:
- Include the fix into the next scheduled release, both for the current and previous maintenance versions.
- Where practical, provide new versions of plugins or other components of the product that can be upgraded independently.
You should upgrade your installation in order to fix the vulnerability.
Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues.
Visit our general Atlassian Patch Policy as well.
Example 1: A critical severity vulnerability is found in a (hypothetical current release) JIRA 5.3.2. The last bugfix release in 5.2.x branch was 5.2.3. In this case, a patch will be created for 5.3.2 and 5.2.3. In addition, new bugfix releases, 5.3.3 and 5.2.4, which are free from this vulnerability, will be created in a few days.
Example 2: A high or medium severity vulnerability is found in the same release as in the previous example. The fix will be included into the currently scheduled releases 5.3.3 and 5.2.4. Release schedule will not be brought forward and no patches will be issued. If the vulnerability is in a plugin module, then a plugin upgrade package may still be supplied.
See How to Get Legendary Support from Atlassian for more support-related information.