Security Bug Fix Policy

Atlassian makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in Atlassian products.


Scope

This page describes when and how we release security bug fixes for our products. It does not describe the complete disclosure process that we follow.

This policy excludes OnDemand, HipChat.com and Bitbucket, since these services are always fixed by Atlassian without any additional notifications.

 

Security Bugfix Service Level Agreement (SLA)

We attempt to meet the following timeframes for fixing security issues.

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) should be fixed in product within 4 weeks of being reported.
  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7)  should be fixed in product within 6 weeks of being reported.
  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) should be fixed in product within 8 weeks of being reported.

 

Critical vulnerabilities

When a Critical security vulnerability is discovered by Atlassian or reported by a third party, Atlassian will do all of the following:

  • Issue a new, fixed release for the current version of the affected product as soon as possible.
  • Issue a new maintenance release for a previous version as follows:
Product
Back port policy
Example
JIRA Issue a new maintenance release for the previous major versions (JIRA 6.1, 6.2...) that have been released within 12 months of the date the fix is released. This change is effective with JIRA 6.1 (i.e. JIRA 6.0 and early will not be covered under this policy). For example, if a critical security bug fix is developed on 20-Aug-2014, the following new maintenance releases would need to be produced:
  • JIRA 6.3.x because JIRA 6.3 is the current JIRA release
  • JIRA 6.2.x because JIRA 6.2 was released on 25-Feb-2014
  • JIRA 6.1.x because JIRA 6.1 was released on 23-Sep-2013
Confluence Issue a new maintenance release for the previous major versions (Confluence 5.5, 5.6 ... ) that have been released within 12 months of the date the fix is released. This change is effective with Confluence 5.5 (i.e. Confluence 5.4 and earlier will not be covered under this policy). For example, if a critical security bug fix is developed on 20-Aug-2014, the following new maintenance releases would need to be produced:
  • Confluence 5.6.x because Confluence 5.6 is the current Confluence release
  • Confluence 5.5.x because Confluence 5.5 was released on 30-Apr-2014
Bitbucket Server Issue a new maintenance release for the previous major versions (Bitbucket Server 2.11, 2.12, 3.0 ... ) that have been released within 6 months of the date the fix is released. This change is effective with Bitbucket Server 2.11 (i.e. Bitbucket Server 2.10 and earlier will not be covered under this policy). For example, if a critical security bug fix is developed on 20-Aug-2014, the following new maintenance releases would need to be produced:
  • Bitbucket Server 3.3.x because Bitbucket Server 3.3 is the current Bitbucket Server release
  • Bitbucket Server 3.2.x because Bitbucket Server 3.2 was released on 30-Jul-2014
  • Bitbucket Server 3.1.x because Bitbucket Server 3.1 was released on 24-Jun-2014
  • Bitbucket Server 3.0.x because Bitbucket Server 3.0 was released on 20-May-2014
  • Bitbucket Server 2.12.x because Bitbucket Server 2.12 was released on 25-Mar-2014
  • Bitbucket Server 2.11.x because Bitbucket Server 2.11 was released on 25-Feb-2014
All other products (Bamboo, Fisheye, Service Desk, etc) We will only issue a new maintenance release for the previous major release version. For example, for Bamboo if a critical security bug fix is developed on 20-Aug-2014, the following new maintenance releases would need to be produced:
  • Bamboo 5.6.x because Bamboo 5.6 is the current release
  • Bamboo 5.5.x because Bamboo 5.5 is the previous major release

It is important to stay on the latest maintenance release for the version of the product you are using (this is best practice). For example if you are on JIRA 6.1.3, you should upgrade to JIRA 6.1.8 proactively. If a new security bug fix is released, e.g. JIRA 6.1.9, the delta between the two versions is minimal (i.e. only the security fix), making it easier to apply.

 

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, Atlassian will include the fix in the next scheduled maintenance release.

You should upgrade your installation in order to fix the vulnerability.

 

Other information

Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues.

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.

 

FAQ

Why does Bitbucket Server cover 6 months of major releases while JIRA and Confluence cover 12 months?

Bitbucket Server is a relatively young product and releases more frequently, thus 6 months already covers 5-6 major versions. For JIRA and Confluence 12 months covers approximately 3 major releases.

Why do other products like Bamboo, Service Desk and Fisheye/Crucible only back port to one previous major version?

We are focusing our efforts in JIRA, Confluence and Bitbucket Server to start with, but we will consider extending Bamboo, Fisheye/Crucible and other products to cover additional major versions, based on the demand to do this.