Security Bug Fix Policy

Atlassian makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in Atlassian products.


Scope

This page describes when and how we release security bug fixes for our products. It does not describe the complete disclosure process that we follow.

This policy excludes our Cloud products (formerly known as OnDemand), Bitbucket, Trello, Stride and HipChat.com, since these services are always fixed by Atlassian without any additional notifications.

Security bug fix Service Level Agreement (SLA)

We attempt to meet the following timeframes for fixing security issues.

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) should be fixed in product within 4 weeks of being reported.
  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7)  should be fixed in product within 6 weeks of being reported.
  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) should be fixed in product within 8 weeks of being reported.

 

Critical vulnerabilities

When a Critical security vulnerability is discovered by Atlassian or reported by a third party, Atlassian will do all of the following:

  • Issue a new, fixed release for the current version of the affected product as soon as possible.
  • Issue a new maintenance release for a previous version as follows:
Product
Back port policy
Example
Jira Server and Data Center

Issue new bug fix releases for:

  •  All feature versions (e.g. 7.1, 7.2) released within 6 months of the date the fix is released
  • Any versions designated an 'Enterprise release' that have not reached end of life.

This change is effective from January 2018, and applies to all current and future releases.

For example, if a critical security bug fix is developed on 1 December 2017, the following new bug fix releases would need to be produced:
  • Jira 7.6.x because it is the current release
  • Jira 7.5.x because 7.5.0 was released on 6 September 2017
  • Jira 7.4.x because 7.4.0 was released on 29 June 2017

If, for example 7.1 was designated an Enterprise release, it would also get the fix, as it had not reached end of life on that date.

Confluence Server and Data Center

Issue new bug fix releases for:

  • All feature versions released within 6 months of the date the fix is released

  • Any versions designated an 'Enterprise release' that have not reached end of life.

This change is effective from January 2018, and applies to all current and future releases.

For example, if a critical security bug fix is developed on 1 December 2017, the following new bug fix releases would need to be produced:
  • Confluence 6.6.x because it is the current release

  • Confluence 6.5.x because 6.5.0 was released on 1 November 2017

  • Confluence 6.4.x because 6.4.0 was released on 6 September 2017

  • Confluence 6.3.x because 6.3.0 was released on 12 July 2017

  • Confluence 6.2.x because 6.2.0 was released on 15 May 2017

If, for example 5.10 was designated an Enterprise release, it would also get the fix, as it had not reached end of life on that date.

Bitbucket Server and Data Center Issue new bug fix releases for all feature versions released within 6 months of the date the fix is released.

For example, if a critical security bug fix is developed on 1 December 2017, the following new bug fix releases would need to be produced:

  • Bitbucket 5.6.x because it is the current release

  • Bitbucket 5.5.x because 5.5.0 was released on 24 October 2017

  • Bitbucket 5.4.x because 5.4.0 was released on 19 September 2017

  • Bitbucket 5.3.x because 5.3.0 was released on 15 August 2017

  • Bitbucket 5.2.x because 5.2.0 was released on 11 July 2017

  • Bitbucket 5.1.x because 5.1.0 was released on 6 June 2017

  • Bitbucket 5.0.x because 5.0.0 was released on 2 May 2017

All other products (Bamboo, CrucibleFisheye, Service Desk, etc) We will only issue new bug fix releases for the previous feature release version. For example, if a critical security bug fix is developed on 1 December 2017 for Bamboo, the following new bug fix releases would need to be produced:
  • Bamboo 6.2.x because it is the current release
  • Bamboo 6.1.x because 6.1.x is the previous release

It is important to stay on the latest bug fix release for the version of the product you are using (this is best practice). For example if you are on Jira Software 7.5.0, you should upgrade to Jira Software 7.5.3 proactively. If a new security bug fix is released, e.g. Jira Software 7.5.4, the delta between the two versions is minimal (i.e. only the security fix), making it easier to apply. 

 

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, Atlassian will include a fix in the next scheduled bug fix release. The fix may also be backported to Enterprise releases, if feasible. 

You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.

 

Other information

Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues.

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page. 

 

FAQ

What is an 'Enterprise release'?

Enterprise releases are for Server and Data Center customers who prefer to allow more time to prepare for upgrades to new feature versions, but still need to receive bug fixes. Some products will designate a particular version to be an Enterprise release, which means that security bug fixes, will be made available for the full 2 year support window.

What is a 'Feature release'?

A Feature release is a version (for example 4.3) which contains new features or major changes to existing features, that has not been designated an Enterprise release.  See the Atlassian Bug Fixing Policy for more information on our release terminology.

 

Why do you only cover 6 months of Feature releases for Bitbucket, Jira and Confluence?

Bitbucket Server releases very frequently, therefore 6 months covers 5-6 major versions. Since mid 2017, Jira and Confluence have moved to a similar release cadence, and are now also releasing 5-6 times per year. 

Why do other products like Bamboo, Service Desk and Fisheye/Crucible only back port to one previous major version?

Our efforts are focused on Jira, Confluence and Bitbucket Server, but we may consider extending Bamboo, Fisheye/Crucible and other products to cover additional major versions, based on the demand to do this