Security Advisory Publishing Policy

Publication of Security Advisories

When a critical severity security vulnerability in a self-managed Atlassian product is discovered and resolved, Atlassian will inform customers through the following mechanisms:

If you want to track non-critical severity security vulnerabilities, you need to monitor the issue trackers for the relevant products on

For example, for Jira Cloud and for Confluence Data Center. Security vulnerabilities in trackers will use the Public Security Vulnerability issue type. All security vulnerabilities will be listed in the release notes of the release where they have been fixed, similar to other bugs.

Critical third-party dependency vulnerabilities that present a lower assessed risk with Atlassian’s application will be reported in monthly Security Bulletins instead of a Critical Security Advisory.