Announcement: Planned changes to the Security Bug Fix Policy

Articles

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

This page outlines the upcoming changes to the Security Bug Fix Policy.

On March 15, 2024, we are updating the Atlassian Security Bug Fix Policy with respect to Data Center critical vulnerabilities in the following products: Jira Software, Jira Service Management, Confluence, Bitbucket, Bamboo, and Crowd.

In Data Center, we offer security bug fixes for two different release types: Feature releases and Long Term Support (LTS) releases.

  • Today: When we discovered a critical vulnerability, we would incorporate a bug fix release for any feature release less than 6 months old and any supported LTS release.

  • Future: When we discover a critical vulnerability we will only incorporate a bug fix release for the most recent feature release and any supported LTS releases.

Compare the previous policy with our new policy

Previous Policy

New Policy

  • Support for all feature releases less than 6 months old

  • Support for a new feature release for the affected Product on the release schedule

  • Support for all active LTS releases in accordance with the Atlassian Support End-of-Life Policy

  • Support for the latest feature release of the affected Product NEW

  • Support for a new feature release for the affected Product on the release schedule NO CHANGE

  • Support for all active LTS releases in accordance with the Atlassian Support End-of-Life Policy NO CHANGE 

Example: If Product 4.7 was affected, we will ship:

  • Product 4.7.x (latest feature release)

  • Product 4.6.x (feature release < 6 months old)

  • Product 4.5.x (feature release < 6 months old)

  • Product 4.4.x (feature release < 6 months old)

  • Product 4.2.x (Long Term Support release)

  • Product 3.5.x (Long Term Support release)

Example: If Product 4.7 was affected, we will ship:

  • Product 4.7.x (latest feature release)

  • Product 4.2.x (Long Term Support release)

  • Product 3.5.x (Long Term Support release)

New Security Bug Fix Policy

We are sharing the complete content of the updated Security Bug Fix Policy with you so that you can become familiar with our new approach and adjust accordingly.

Changes will take effect across all Data Center products on March 15, 2024.

Scope

This policy describes how and when we may resolve security vulnerabilities in our products.

Security bug fix Service Level Objectives (SLO)

Atlassian sets service level objectives for fixing security vulnerabilities based on the security severity level and the affected product. We've defined the following timeframe objectives for fixing security issues in our products:

Accelerated Resolution Objectives

These timeframes apply to all cloud-based Atlassian products, and any other software or system that is managed by Atlassian, or is running on Atlassian infrastructure. They also apply to Jira Align (both the cloud and self-managed releases).

  • Critical vulnerabilities to be fixed in product within 14 days of being verified

  • High vulnerabilities to be fixed in product within 28 days of being verified

  • Medium vulnerabilities to be fixed in product within 42 days of being verified

  • Low vulnerabilities to be fixed in product within 175 days of being verified

Extended Resolution Timeframes

These timeframe objectives apply to all self-managed Atlassian products. A self-managed product is installed by customers on customer-managed systems and includes Atlassian's Data Center and mobile apps.

  • Critical, High, and Medium vulnerabilities to be fixed in product within 90 days of being verified

  • Low vulnerabilities to be fixed in product within 180 days of being verified

Critical Vulnerabilities

When a critical vulnerability is discovered by Atlassian or reported by a third party, Atlassian will take the following actions:

  • For cloud products, we will ship a new fixed release for the affected product as soon as possible

  • For self-managed products, we will:

    • ship a bug fix release for the latest feature release of the affected product

    • ship a new feature release for the affected product on the release schedule

    • ship a bug fix release for all supported LTS releases of the affected product, in accordance with the Atlassian Support End of Life Policy.

For Crowd, Fisheye, and Crucible, we will provide a bug fix release for the latest feature release of the affected product.

Examples of critical vulnerability fixes for self-managed products:

If a critical vulnerability fix is developed on Feb 1, 2024, the following are example releases that would receive the bug fix:

  • Jira Software

    • Jira Software 9.13.x because 9.13.0 is the latest feature release

    • Jira Software 9.12.x because 9.12.0 is the latest Long Term Support release

    • Jira Software 9.4.x because 9.4.0 is the previous Long Term Support release

  • Jira Service Management

    • Jira Service Management 5.13.x because 5.13.0 is the latest feature release

    • Jira Service Management 5.12.x because 5.12.0 is the latest Long Term Support release

    • Jira Service Management 5.4.x because 5.4.0 is the second latest supported Long Term Support release

  • Confluence

    • Confluence 8.7.x because 8.7.0 is the latest feature release

    • Confluence 8.5.x because 8.5.0 is the latest Long Term Support release

    • Confluence 7.19.x because 7.19.0 is the second latest supported Long Term Support release

  • Bitbucket

    • Bitbucket 8.17.x because 8.17.0 is the latest feature release

    • Bitbucket 8.9.x because 8.9.0 is the latest Long Term Support release

    • Bitbucket 7.21.x because 7.21.0 is the second latest supported Long Term Support release

  • Bamboo

    • Bamboo 9.5.x because 9.5.0 is the latest feature release

    • Bamboo 9.2.x because 9.2.0 is the latest Long Term Support release

  • Crowd 5.3.x because 5.3.0 is the latest feature release

  • Fisheye/Crucible 4.8.x because 4.8.0 is the latest feature release

No other product versions would receive new bug fixes.

Frequent upgrades ensure that your product instances are secure. It's a best practice to stay on the latest bug fix release of the latest feature release or LTS release of your product.

Non-critical vulnerabilities

When a security issue of a High, Medium, or Low severity is discovered, Atlassian will aim to release a fix within the service level objectives listed at the beginning of this document. The fix may also be backported to Long Term Support releases, if feasible. The feasibility of backporting depends on complex dependencies, architectural changes, and compatibility, among other factors.

You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.

Other information

The severity level of vulnerabilities is calculated based on Severity Levels for Security Issues.

We'll continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page. 

FAQ

What is a security bug fix?

A security bug fix is a set of changes made to a system or application to address vulnerabilities that could potentially be exploited by hackers. These vulnerabilities, also known as security bugs, could lead to unauthorized access, data theft, or other malicious activities.

What is vulnerability?

Vulnerability refers to a weakness or flaw that may be exploited by a threat or risk. In the context of cybersecurity, a vulnerability could be a flaw in software, network, or system that allows unauthorized users to gain access, cause damage. This could include things like outdated software, weak passwords, or missing data encryption.

Where can I find more information on fixed vulnerabilities in Data Center products?

Atlassian publishes monthly Security Advisories and provides access to the Vulnerability Disclosure Portal. The Vulnerability Disclosure Portal is a central hub for information about disclosed vulnerabilities in any of our products. It is updated monthly with the release of each Security Bulletin and provides an easy way to search and access data from previous bulletins.

What is a Long Term Support release?

Long Term Support releases are for Data Center customers who prefer to allow more time to prepare for upgrades to new feature versions but still need to receive bug fixes. Some products will designate a particular version to be a Long Term Support release, which means that security bug fixes will be made available for the full 2-year support window.

What is a Feature release?

A Feature release is a version (for example, Jira Software 9.11) that contains new features or major changes to existing features and that hasn't been designated a Long Term Support release. Learn more about the Atlassian Bug Fixing Policy.


We aim to develop the most effective methods for enhancing the security of our software and delivering updates faster and more frequently. When considering an upgrade, you can be sure that the latest feature release is the most secure and stable product version as it contains the most up-to-date security fixes and feature enhancements.

If you have any concerns or if you require clarification on any aspect of the updated bug fix policy, please do not hesitate to reach out to our support team.
Last modified on Feb 28, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.