09. Bamboo Security

Application Security Overview

As a distributed application, Bamboo's application-level security is important. This document contains links to version-specific security advisories for the Bamboo application.

Vulnerabilities, Advisories and Patches.

If you find a security bug in Bamboo

Open an issue on http://jira.atlassian.com in the Bamboo project.

• Set the priority of the bug to "Blocker"
• Provide as much information on reproducing the bug as possible
• Set the security level of the bug to "Developer and Reporters only"

All communication about the vulnerability should be performed through JIRA, so we can keep track of the issue and get a patch out as soon as possible.

Bamboo Security Advisories

When a security issue in Bamboo is discovered and resolved, we will inform customers through the following mechanisms:

• A security advisory will be posted on this page
• A copy of the advisory will be sent to the bamboo-users and bamboo-announce mailing-lists (subscribe here). These lists are mirrored on our forums
• If the person who reported the issue wants to publish an advisory through some other agency (for example, CERT), we'll assist in the production of that advisory, and link to it from our own.

  Latest security advisory:

  • Bamboo Security Advisory 2008-02-08 (Bamboo 2.0 Beta)

Our Patch Policy

When a security issue is discovered, we will endeavour to:

• issue a new, fixed Bamboo version as soon as possible
• issue a patch to the current stable version of Bamboo
• issue patches for older versions of Bamboo if feasible

Patches will generally be attached to the relevant JIRA issue.

Past Security Advisories

• Bamboo Security Advisory 2008-02-08 (Bamboo 2.0 Beta) — The Bamboo 2.0 Beta does not include the security features that will be present in the final released product. Please note the following security implications when enabling Bamboo's remote agent functionality:
• Securing your Remote Agents