Close
是否使用您的语言查看此页面?
所有语言
选择您的语言
产品
专为团队而设计
支持
免费试用
立即购买
Search Toggle menu
Close search

规划、追踪和支持

Jira Software

项目和问题追踪

Jira Align

企业级敏捷规划

Jira Core

基本业务管理

Jira Service Desk

协同 IT 服务管理

Opsgenie

现代事件管理

Statuspage

事件沟通

协作

Confluence

文档协作

Trello

直观地针对任何项目进行协作

编写代码、构建并交付

Bitbucket

Git 代码管理

Sourcetree

Git 和 Mercurial 桌面客户端

Bamboo

集成和发布管理

安全和身份管理

Atlassian Access

云的安全和控制

Crowd

自托管环境的用户管理
查看全部产品
Close dropdown

按团队规模

初创公司

非常适合初创公司,从孵化到 IPO

小型企业

为不断发展的企业提供适当的工具

企业

了解我们如何让大型团队实现成功

按团队职能

软件

规划、构建和发布优质的产品

营销

整合制胜的策略

人力资源

精简人员管理

法律

安全可靠地运行

运营

高效地运营业务

IT

提供出色的服务和支持

金融

简化所有财务流程

事件响应

针对事件做出响应、解决问题并吸取经验教训
查看全部产品
Close dropdown

Atlassian 支持

技术支持

提出支持请求单

购买和许可

定价或账户方面的帮助

文档

适用于我们所有产品的指南

迁移到云

规划从服务器到云的迁移

企业服务

支持大型团队

社区支持

社区帮助

从其他用户那里获取帮助

合作伙伴计划

了解 Atlassian 合作伙伴

查找合作伙伴

自定义专业服务

学习与联系

关于我们

了解我们的公司

诚聘英才

搜索最新的空缺职位

培训和认证

培养技能,得到 Atlassian 的认可

博客

在所有主题上的思想领导力
查看所有支持
Close dropdown

Security Bug Fix Policy

Atlassian makes it a priority to ensure that customers' systems cannot be compromised by exploiting vulnerabilities in Atlassian products.

Scope

The following describes how and when we resolve security bugs in our products. It does not describe the complete disclosure or advisory process that we follow.

Security bug fix Service Level Agreement (SLA)

We have defined the following timeframes for fixing security issues in our products:

  • Critical severity bugs (CVSS v2 score >= 8, CVSS v3 score >= 9) to be fixed in product within 4 weeks of being reported
  • High severity bugs (CVSS v2 score >= 6, CVSS v3 score >= 7) to be fixed in product within 6 weeks of being reported
  • Medium severity bugs (CVSS v2 score >= 3, CVSS v3 score >= 4) to be fixed in product within 8 weeks of being reported
     

Critical Vulnerabilities

When a Critical security vulnerability is discovered by Atlassian or reported by a third party, Atlassian will do all of the following:

  • Issue a new, fixed release for the current version of the affected product as soon as possible.
  • Issue a new maintenance release for a previous version as follows:
     

 

Product
Back port policy
Example

Jira Software Server and Data Center

Jira Core Server and Data Center

Jira Service Desk Server and Data Center

Issue new bug fix releases for:

  • Any versions designated an 'Enterprise release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Jira 8.6.x because 8.6.0 was released on 17 December 2019
  • Jira 8.5.x because 8.5.0 was released on 21 October 2019
  • Jira 8.4.x because 8.4.0 was released on 9 September 2019
  • Jira 8.3.x because 8.3.0 was released on 22 July 2019
  • Jira 7.13.x because 7.13 is an Enterprise release, and 7.13.0 was released on 28 November 2018

Confluence Server and Data Center

Issue new bug fix releases for:

  • Any versions designated an 'Enterprise release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Confluence 7.2.x because 7.2.0 was released on 12 December 2019
  • Confluence 7.1.x because 7.1.0 was released on 4 November 2019
  • Confluence 7.0.x because 7.0.0 was released on 10 September 2019
  • Confluence 6.13.x because 6.13 is an Enterprise release, and 6.13.0 was released on 4 December 2018

Bitbucket Server and Data Center

Issue new bug fix releases for:

  • Any versions designated an 'Enterprise release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Bitbucket 6.9.x because 6.9.0 was released on 10 December 2019
  • Bitbucket 6.8.x because 6.8.0 was released on 6 November 2019
  • Bitbucket 6.7.x because 6.7.0 was released on 1 October 2019
  • Bitbucket 6.6.x because 6.6.0 was released on 27 August 2019
  • Bitbucket 6.5.x because 6.5.0 was released on 24 July 2019

Bitbucket 6.3.0 was released on 14 May 2019, more than 6 months before the date of the fix. If it was designated an Enterprise release, a bug fix release would also be produced.

All other products (BambooCrucibleFisheye, etc)

We will only issue new bug fix releases for the current and previous feature release version.

For example, if a critical security bug fix is developed on 1 January 2020 for Bamboo, the following new bug fix releases would need to be produced:

  • Bamboo 6.10.x because it was released on 17 September 2019 and is the current release
  • Bamboo 6.9.x because 6.9.0 is the previous release
Product

Jira Software Server and Data Center

Jira Core Server and Data Center

Jira Service Desk Server and Data Center
Back port policy

Issue new bug fix releases for:

  • Any versions designated an 'Enterprise release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.
Example

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Jira 8.6.x because 8.6.0 was released on 17 December 2019
  • Jira 8.5.x because 8.5.0 was released on 21 October 2019
  • Jira 8.4.x because 8.4.0 was released on 9 September 2019
  • Jira 8.3.x because 8.3.0 was released on 22 July 2019
  • Jira 7.13.x because 7.13 is an Enterprise release, and 7.13.0 was released on 28 November 2018
Product

Confluence Server and Data Center
Back port policy

Issue new bug fix releases for:

  • Any versions designated an 'Enterprise release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.
Example

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Confluence 7.2.x because 7.2.0 was released on 12 December 2019
  • Confluence 7.1.x because 7.1.0 was released on 4 November 2019
  • Confluence 7.0.x because 7.0.0 was released on 10 September 2019
  • Confluence 6.13.x because 6.13 is an Enterprise release, and 6.13.0 was released on 4 December 2018
Product

Bitbucket Server and Data Center
Back port policy

Issue new bug fix releases for:

  • Any versions designated an 'Enterprise release' that have not reached end of life.
  • All feature versions released within 6 months of the date the fix is released.
Example

For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:

  • Bitbucket 6.9.x because 6.9.0 was released on 10 December 2019
  • Bitbucket 6.8.x because 6.8.0 was released on 6 November 2019
  • Bitbucket 6.7.x because 6.7.0 was released on 1 October 2019
  • Bitbucket 6.6.x because 6.6.0 was released on 27 August 2019
  • Bitbucket 6.5.x because 6.5.0 was released on 24 July 2019

Bitbucket 6.3.0 was released on 14 May 2019, more than 6 months before the date of the fix. If it was designated an Enterprise release, a bug fix release would also be produced.
Product

All other products (BambooCrucibleFisheye, etc)
Back port policy

We will only issue new bug fix releases for the current and previous feature release version.
Example

For example, if a critical security bug fix is developed on 1 January 2020 for Bamboo, the following new bug fix releases would need to be produced:

  • Bamboo 6.10.x because it was released on 17 September 2019 and is the current release
  • Bamboo 6.9.x because 6.9.0 is the previous release

It is important to stay on the latest bug fix release for the version of the product you are using (this is best practice). For example if you are on Jira Software 7.5.0, you should upgrade to Jira Software 7.5.3 proactively. If a new security bug fix is released, e.g. Jira Software 7.5.4, the delta between the two versions is minimal (i.e. only the security fix), making it easier to apply. 

The critical vulnerabilities resolution process does not apply to our Atlassian Cloud products as these services are always fixed by Atlassian without any additional action from customers.

Non-critical vulnerabilities

When a security issue of a High, Medium or Low severity is discovered, Atlassian will include a fix in the next scheduled release. The fix may also be backported to Enterprise releases, if feasible. 

You should upgrade your installations when a bug fix release becomes available to ensure that the latest security fixes have been applied.

Other information

Severity level of vulnerabilities is calculated based on Severity Levels for Security Issues.

We will continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page. 

FAQ

What is an 'Enterprise release'? Show +
  

Enterprise releases are for Server and Data Center customers who prefer to allow more time to prepare for upgrades to new feature versions, but still need to receive bug fixes. Some products will designate a particular version to be an Enterprise release, which means that security bug fixes, will be made available for the full 2 year support window.
What is a 'Feature release'? Show +
  

A Feature release is a version (for example 4.3) which contains new features or major changes to existing features, that has not been designated an Enterprise release.  See the Atlassian Bug Fixing Policy for more information on our release terminology.
Why do you only cover 6 months of Feature releases for Bitbucket, Jira and Confluence? Show +
  

Bitbucket Server releases very frequently, therefore 6 months covers 5-6 major versions. Since mid 2017, Jira and Confluence have moved to a similar release cadence, and are now also releasing 5-6 times per year.
Why do other products like Bamboo and Fisheye/Crucible only back port to one previous major version? Show +
  

Our efforts are focused on Jira, Confluence and Bitbucket Server, but we may consider extending Bamboo, Fisheye/Crucible and other products to cover additional major versions, based on the demand to do this.