Close
View this page in your language?
All languages
Choose your language
Products
For teams
Support
Try now
Buy now
Search Toggle menu
Close search

Featured

Jira Software

Project and issue tracking

Confluence

Content collaboration

Jira Service Management

High-velocity ITSM

Trello

Visual project management

View all products

New products from Point A

Innovations from Atlassian

View all

Atlas

Teamwork directory

Compass

Developer experience platform

Marketplace

Connect thousands of apps for all your Atlassian products

Close dropdown

By team size

Startups

Great for startups, from incubator to IPO

Small business

Get the right tools for your growing business

Enterprise

Learn how we make big teams successful

By team function

Software

Plan, build, & ship quality products

Marketing

Bring together a winning strategy

HR

Streamline people management

Legal

Operate securely and reliably

Government

Efficient, secure, mission focused

Operations

Run your business efficiently

IT

Provide great service and support

Finance

Simplify all finance processes

Incident Response

Respond, resolve, & learn from incidents

View all products
Close dropdown

Resources

Documentation

Guides to all of our products

Atlassian Migration Program

Tools and guidance for migrating

Cloud roadmap

Upcoming feature releases

Purchasing & licensing

FAQs about our policies

Support services

Enterprise services

Personal support for large teams

Partner support

Trusted third-party consultants

Atlassian Support

A resource hub for teams and admins

Learn & connect

About us

Our mission and history

Careers

Job openings, values, and more

Atlassian University

Training and certifications for all skill levels

Atlassian Community

A forum for connecting, sharing, and learning

Close dropdown

Security Bug Fix Policy

Atlassian makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in Atlassian products.

Scope

The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.

Security bug fix Service Level Objectives (SLO)

Atlassian sets service level objectives for fixing security vulnerabilities based on the security severity level and the affected product. We have defined the following timeframes for fixing security issues in our products:

Accelerated Resolution Timeframes

These timeframes apply to all cloud-based Atlassian products, and any other software or system that is managed by Atlassian, or is running on Atlassian infrastructure. They also apply to Jira Align (both the cloud and self-managed versions).

  • Critical severity bugs to be fixed in product within 2 weeks of being verified
  • High severity bugs to be fixed in product within 4 weeks of being verified
  • Medium severity bugs to be fixed in product within 6 weeks of being verified
  • Low severity bugs to be fixed in product within 25 weeks of being verified

Extended Resolution Timeframes

These timeframes apply to all self-managed Atlassian products. A self-managed product is installed by customers on customer-managed systems, and includes Atlassian's server, data center, desktop, and mobile applications.

  • Critical, High, and Medium severity bugs to be fixed in product within 90 days of being verified
  • Low severity bugs to be fixed in product within 180 days of being verified

Critical Vulnerabilities

When a Critical security vulnerability is discovered by Atlassian or reported by a third party, Atlassian will do all of the following:

  • Issue a new, fixed release for the current version of the affected product as soon as possible.
  • Issue a new maintenance release for a previous version as follows: 

 

Product
Back port policy
Example

Jira Software Server and Data Center

Jira Core Server and Data Center

Jira Service Management Server and Data Center (previously known as Jira Service Desk)

Issue new bug fix releases for:

  • Any versions designated an 'Long Term Support release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Jira 8.6.x because 8.6.0 was released on 17 December 2019
  • Jira 8.5.x because 8.5.0 was released on 21 October 2019
  • Jira 8.4.x because 8.4.0 was released on 9 September 2019
  • Jira 8.3.x because 8.3.0 was released on 22 July 2019
  • Jira 7.13.x because 7.13 is a Long Term Support release, and 7.13.0 was released on 28 November 2018

Confluence Server and Data Center

Issue new bug fix releases for:

  • Any versions designated a 'Long Term Support release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Confluence 7.2.x because 7.2.0 was released on 12 December 2019
  • Confluence 7.1.x because 7.1.0 was released on 4 November 2019
  • Confluence 7.0.x because 7.0.0 was released on 10 September 2019
  • Confluence 6.13.x because 6.13 is a Long Term Support release, and 6.13.0 was released on 4 December 2018

Bitbucket Server and Data Center

Issue new bug fix releases for:

  • Any versions designated a 'Long Term Support release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Bitbucket 6.9.x because 6.9.0 was released on 10 December 2019
  • Bitbucket 6.8.x because 6.8.0 was released on 6 November 2019
  • Bitbucket 6.7.x because 6.7.0 was released on 1 October 2019
  • Bitbucket 6.6.x because 6.6.0 was released on 27 August 2019
  • Bitbucket 6.5.x because 6.5.0 was released on 24 July 2019

Bitbucket 6.3.0 was released on 14 May 2019, more than 6 months before the date of the fix. If it was designated a Long Term Support release, a bug fix release would also be produced.

All other products (BambooCrucibleFisheye, etc)

We will only issue new bug fix releases for the current and previous feature release version.

For example, if a critical security bug fix is developed on 1 January 2020 for Bamboo, the following new bug fix releases would need to be produced:

  • Bamboo 6.10.x because it was released on 17 September 2019 and is the current release
  • Bamboo 6.9.x because 6.9.0 is the previous release

 

Product
Back port policy
Example

Jira Software Server and Data Center

Jira Core Server and Data Center

Jira Service Management Server and Data Center (previously known as Jira Service Desk)

Confluence Server and Data Center

Bitbucket Server and Data Center

Bamboo Server and Data Center

Issue new bug fix releases for:

  • Any versions designated an 'Long Term Support release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.

If a critical security bug fix is developed on 2020/01/01, the following are example releases that would receive the bug fix:

  • Jira 8.6.x because 8.6.0 was released on 2019/12/17
  • Confluence 6.13.x because 6.13 is a Long Term Support release, and 6.13.0 was released on 2018/12/4
  • Bitbucket 6.7.x because 6.7.0 was released on 2019/10/01
  • Bamboo 6.10.x because 6.10.2 was released on 2019/09/17

The following are examples of releases that would not receive new bug fix releases:

  • Jira 7.6.x because 7.6.0 is a Long Term Support release, and 7.6.0 was released on 2017/11/16
  • Confluence 6.14.x because 6.14.0 was released on 2019/01/22
  • Bitbucket 6.3.x because 6.3.0 was released on 2019/05/14
  • Bamboo 6.9.x because 6.9.0 was released on 2019/05/23

All other products (CrucibleFisheye, etc)

We will only issue new bug fix releases for the current and previous feature release version.

For example, if a critical security bug fix is developed on 1 January 2020 for Crowd, the following new bug fix releases would need to be produced:

  • Crowd 3.7.x because it was released on 3 October 2019 and is the current release
  • Crowd 3.6.x because it’s the previous release
Product

Jira Software Server and Data Center

Jira Core Server and Data Center

Jira Service Desk Server and Data Center
Back port policy

Issue new bug fix releases for:

  • Any versions designated a 'Long Term Support release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.
Example

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Jira 8.6.x because 8.6.0 was released on 17 December 2019
  • Jira 8.5.x because 8.5.0 was released on 21 October 2019
  • Jira 8.4.x because 8.4.0 was released on 9 September 2019
  • Jira 8.3.x because 8.3.0 was released on 22 July 2019
  • Jira 7.13.x because 7.13 is a Long Term Support release, and 7.13.0 was released on 28 November 2018
Product

Confluence Server and Data Center
Back port policy

Issue new bug fix releases for:

  • Any versions designated a 'Long Term Support release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.
Example

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Confluence 7.2.x because 7.2.0 was released on 12 December 2019
  • Confluence 7.1.x because 7.1.0 was released on 4 November 2019
  • Confluence 7.0.x because 7.0.0 was released on 10 September 2019
  • Confluence 6.13.x because 6.13 is a Long Term Support release, and 6.13.0 was released on 4 December 2018
Product

Bitbucket Server and Data Center
Back port policy

Issue new bug fix releases for:

  • Any versions designated a 'Long Term Support release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.
Example

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Bitbucket 6.9.x because 6.9.0 was released on 10 December 2019
  • Bitbucket 6.8.x because 6.8.0 was released on 6 November 2019
  • Bitbucket 6.7.x because 6.7.0 was released on 1 October 2019
  • Bitbucket 6.6.x because 6.6.0 was released on 27 August 2019
  • Bitbucket 6.5.x because 6.5.0 was released on 24 July 2019

Bitbucket 6.3.0 was released on 14 May 2019, more than 6 months before the date of the fix. If it was designated a Long Term Support release, a bug fix release would also be produced.
Product

All other products (BambooCrucibleFisheye, etc)
Back port policy

We will only issue new bug fix releases for the current and previous feature release version.
Example

For example, if a critical security bug fix is developed on 1 January 2020 for Bamboo, the following new bug fix releases would need to be produced:

  • Bamboo 6.10.x because it was released on 17 September 2019 and is the current release
  • Bamboo 6.9.x because 6.9.0 is the previous release

It is important to stay on the latest bug fix release for the version of the product you are using (this is best practice). For example if you are on Jira Software 7.5.0, you should upgrade to Jira Software 7.5.3 proactively. If a new security bug fix is released, e.g. Jira Software 7.5.4, the delta between the two versions is minimal (i.e. only the security fix), making it easier to apply. 

The critical vulnerabilities resolution process does not apply to our Atlassian Cloud products as these services are always fixed by Atlassian without any additional action from customers.

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, Atlassian will aim to release a fix within the service level objectives listed at the beginning of this document. The fix may also be backported to Long Term Support releases, if feasible. 

You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.

Other information

Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues.

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page. 

FAQ

What is a 'Long Term Support release'? Copy link to heading Copied! Show +
  

Long Term Support releases are for Server and Data Center customers who prefer to allow more time to prepare for upgrades to new feature versions, but still need to receive bug fixes. Some products will designate a particular version to be a Long Term Support release, which means that security bug fixes, will be made available for the full 2 year support window.
What is a 'Feature release'? Copy link to heading Copied! Show +
  

A Feature release is a version (for example 4.3) which contains new features or major changes to existing features, that has not been designated a Long Term Support release.  See the Atlassian Bug Fixing Policy for more information on our release terminology.
Why do you only cover 6 months of Feature releases for Bitbucket, Jira and Confluence? Copy link to heading Copied! Show +
  

Bitbucket Server releases very frequently, therefore 6 months covers 5-6 major versions. Since mid 2017, Jira and Confluence have moved to a similar release cadence, and are now also releasing 5-6 times per year.
Why do other products like Bamboo and Fisheye/Crucible only back port to one previous major version? Copy link to heading Copied! Show +
  

Our efforts are focused on Jira, Confluence and Bitbucket Server, but we may consider extending Bamboo, Fisheye/Crucible and other products to cover additional major versions, based on the demand to do this.