Security Advisories & Bulletins

On this page

Still need help?

The Atlassian Community is here for you.

Ask the community

Security Bulletins are released on the third Tuesday of every month. To search previous disclosures, see our Vulnerability Disclosure Portal. For information on Atlassian cloud security, see our Security page

Security Advisories and Bulletins


What are Security Bulletins?

Security Bulletins provide you with detailed information about vulnerabilities mitigated in new versions, allowing you to make more informed decisions about updating our products outside of Critical Security Advisories requiring immediate action.

In addition to version upgrade recommendations, each Security Bulletin includes a high-level summary of the vulnerability, the CVSS score and severity (severity does not reflect risk; read more about CVSS), CVE ID, and a link to the detailed ticket on jira.atlassian.com.


FAQs

What types of vulnerabilities are included in the Security Bulletin?

Security Bulletin disclosures include unique critical and high-severity vulnerabilities as well as dependency vulnerabilities, for our server and DC products.

Is there a Security Bulletin for Cloud customers?

No, the Security Bulletin is for server and DC products only. We are able to seamlessly patch Cloud vulnerabilities without any action required on the part of the customer. For information on Atlassian cloud security, see our Security page.

What do customers need to do when a Security Bulletin is released?

Upgrading to new versions in a timely manner is an important step in keeping your Atlassian server and DC products secure, and we encourage customers to keep versions current. Though we will continue to issue Critical Security Advisories for vulnerabilities requiring immediate action, our goal with the Security Bulletin is to issue non-critical updates that can be supported on a regular maintenance schedule.

Is this change due to an increase in the number of vulnerabilities in Atlassian products?

No, the Security Bulletin and Portal are an enhancement to our ability to disclose fixed vulnerabilities, and do not reflect any changes in our processes to identify and fix them. The types of fixed vulnerabilities you will see in the new disclosures were previously fixed in released product versions. With this new monthly cadence, we’re able to offer greater transparency into the list of vulnerabilities mitigated under each new version (not just the most pressing) and encourage customers to support security best practices with a regular maintenance schedule. Atlassian will continue to issue Critical Security Advisories for vulnerabilities requiring immediate action.


Last modified on Jun 12, 2024

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.