Security Advisory Publishing Policy
Publication of Security Advisories
When a critical severity security vulnerability in a self-managed Atlassian product is discovered and resolved, Atlassian will inform customers through the following mechanisms:
- We will post a security advisory on https://www.atlassian.com/trust/security at the same time as releasing a fix for the vulnerability.
- We will send a copy of all critical security advisories to the 'Alerts' mailing list for the product concerned, excluding Sourcetree.
Note: To ensure you are on this list, please update your email preferences at https://my.atlassian.com/email.
- If the person who reported the vulnerability wishes to publish an advisory through another agency, such as CERT/CC, we will assist in the production of that advisory and link to it from our Hall of Fame.
If you want to track non-critical severity security vulnerabilities, you need to monitor the issue trackers for the relevant products on https://jira.atlassian.com. For example, https://jira.atlassian.com/browse/JRACLOUD for Jira Cloud and https://jira.atlassian.com/browse/CONFSERVER for Confluence Server and Data Center. Security issues in trackers will be marked with a "security" label. All security issues will be listed in the release notes of the release where they have been fixed, similar to other bugs.