Close

보안 버그 수정 정책

Atlassian에서는 제품의 취약점을 악용하여 고객 시스템에 손상이 발생하지 않도록 보장하는 것을 최우선으로 여깁니다.


범위

This policy describes how and when we may resolve security vulnerabilities in our products.

보안 버그 수정 SLO(서비스 수준 목표)

Atlassian sets service level objectives for fixing security vulnerabilities based on the security severity level and the affected product. We've defined the following timeframe objectives for fixing security issues in our products:

Accelerated Resolution Objectives

These timeframes apply to all cloud-based Atlassian products, and any other software or system that is managed by Atlassian, or is running on Atlassian infrastructure. They also apply to Jira Align (both the cloud and self-managed releases).

  • Critical vulnerabilities to be fixed in product within 10 days of being verified
  • High vulnerabilities to be fixed in product within 28 days of being verified
  • Medium vulnerabilities to be fixed in product within 84 days of being verified
  • Low vulnerabilities to be fixed in product within 175 days of being verified

연장된 해결 기간

These timeframe objectives apply to all self-managed Atlassian products. A self-managed product is installed by customers on customer-managed systems and includes Atlassian's Data Center and mobile apps.

  • Critical, High, and Medium vulnerabilities to be fixed in product within 90 days of being verified
  • Low vulnerabilities to be fixed in product within 180 days of being verified

중요 취약성

When a critical vulnerability is discovered by Atlassian or reported by a third party, Atlassian will take the following actions:

  • For cloud products, we will ship a new fixed release for the affected product as soon as possible
  • For self-managed products, we will:
    • ship a bug fix release for the latest feature release of the affected product
    • ship a new feature release for the affected product on the release schedule
    • ship a bug fix release for all supported LTS releases of the affected product, in accordance with the Atlassian Support End of Life Policy.

제품
백 포트 정책

Jira Software Server 및 Data Center

Jira Core Server 및 Data Center

Jira Service Management Server 및 Data Center(이전의 Jira Service Desk)

다음에 대해 새로운 버그 수정 릴리스 배포:

  • 종료되지 않은 '장기 지원 릴리스'로 지정된 모든 버전
  • 수정이 릴리스된 날로부터 6개월 이내에 릴리스된 모든 기능 버전

예를 들어, 2020년 1월 1일에 중요 보안 버그 수정을 개발한 경우 다음과 같은 새로운 버그 수정 릴리스를 제작해야 합니다.

  • Jira 8.6.x - 8.6.0을 2019년 12월 17일에 릴리스했으므로
  • Jira 8.5.x - 8.5.0을 2019년 10월 21일에 릴리스했으므로
  • Jira 8.4.x - 8.4.0을 2019년 9월 9일에 릴리스했으므로
  • Jira 8.3.x - 8.3.0을 2019년 7월 22일에 릴리스했으므로
  • Jira 7.13.x - 7.13이 장기 지원 릴리스이고 7.13.0을 2018년 11월 28일에 릴리스했으므로

Confluence Server 및 Data Center

다음에 대해 새로운 버그 수정 릴리스 배포:

  • 종료되지 않은 '장기 지원 릴리스'로 지정된 모든 버전
  • 수정이 릴리스된 날로부터 6개월 이내에 릴리스된 모든 기능 버전

예를 들어, 2020년 1월 1일에 중요 보안 버그 수정을 개발한 경우 다음과 같은 새로운 버그 수정 릴리스를 제작해야 합니다.

  • Confluence 7.2.x - 7.2.0을 2019년 12월 12일에 릴리스했으므로
  • Confluence 7.1.x - 7.1.0을 2019년 11월 4일에 릴리스했으므로
  • Confluence 7.0.x - 7.0.0을 2019년 9월 10일에 릴리스했으므로
  • Confluence 6.13.x - 6.13이 장기 지원 릴리스이고 6.13.0을 2018년 12월 4일에 릴리스했으므로

Bitbucket Server 및 Data Center

다음에 대해 새로운 버그 수정 릴리스 배포:

  • 종료되지 않은 '장기 지원 릴리스'로 지정된 모든 버전
  • 수정이 릴리스된 날로부터 6개월 이내에 릴리스된 모든 기능 버전

예를 들어, 2020년 1월 1일에 중요 보안 버그 수정을 개발한 경우 다음과 같은 새로운 버그 수정 릴리스를 제작해야 합니다.

  • Bitbucket 6.9.x - 6.9.0을 2019년 12월 10일에 릴리스했으므로
  • Bitbucket 6.8.x - 6.8.0을 2019년 12월 6일에 릴리스했으므로
  • Bitbucket 6.7.x - 6.7.0을 2019년 10월 1일에 릴리스했으므로
  • Bitbucket 6.6.x - 6.6.0을 2019년 8월 27일에 릴리스했으므로
  • Bitbucket 6.5.x - 6.5.0을 2019년 7월 24일에 릴리스했으므로

Bitbucket 6.3.0은 수정이 릴리스된 날보다 6개월 이상 앞선 2019년 5월 14일에 릴리스되었습니다. 이 릴리스는 장기 지원 릴리스로 지정되었으며, 버그 수정 릴리스도 제작됩니다.

기타 모든 제품(Bamboo, Crucible, Fisheye 등)

Atlassian은 현재 및 이전 기능 릴리스 버전에 대한 새로운 버그 수정 릴리스만 배포합니다.

예를 들어, 2020년 1월 1일에 Bamboo를 위한 중요 보안 버그 수정을 개발한 경우 다음과 같은 새로운 버그 수정 릴리스를 제작해야 합니다.

  • Bamboo 6.10.x - 2019년 9월 17일에 릴리스했으며 최신 릴리스이므로
  • Bamboo 6.9.x - 6.9.0이 이전 릴리스이므로

For Crowd, Fisheye, and Crucible, we will provide a bug fix release for the latest feature release of the affected product.

Examples of critical vulnerability fixes for self-managed products:

If a critical vulnerability fix is developed on Feb 1, 2024, the following are example releases that would receive the bug fix:

제품

Jira Software

Jira Software 9.13.x because 9.13.0 is the latest feature release

Jira Software 9.12.x because 9.12.0 is the latest Long Term Support release

Jira Software 9.4.x because 9.4.0 is the previous Long Term Support release

Jira Service Management

Jira Service Management 5.13.x because 5.13.0 is the latest feature release

Jira Service Management 5.12.x because 5.12.0 is the latest Long Term Support release

Jira Service Management 5.4.x because 5.4.0 is the second latest supported Long Term Support release

Confluence

Confluence 8.7.x because 8.7.0 is the latest feature release

Confluence 8.5.x because 8.5.0 is the latest Long Term Support release

Confluence 7.19.x because 7.19.0 is the second latest supported Long Term Support release

Bitbucket

Bitbucket 8.17.x because 8.17.0 is the latest feature release

Bitbucket 8.9.x because 8.9.0 is the latest Long Term Support release

Bitbucket 7.21.x because 7.21.0 is the second latest supported Long Term Support release

Bamboo

Bamboo 9.5.x because 9.5.0 is the latest feature release

Bamboo 9.2.x because 9.2.0 is the latest Long Term Support release

Crowd

Crowd 5.3.x because 5.3.0 is the latest feature release

Fisheye/Crucible

Fisheye/Crucible 4.8.x because 4.8.0 is the latest feature release

No other product versions would receive new bug fixes.

Frequent upgrades ensure that your product instances are secure. It's a best practice to stay on the latest bug fix release of the latest feature release or LTS release of your product.

중요하지 않은 취약성

When a security issue of a High, Medium, or Low severity is discovered, Atlassian will aim to release a fix within the service level objectives listed at the beginning of this document. The fix may also be backported to Long Term Support releases, if feasible. The feasibility of backporting depends on complex dependencies, architectural changes, and compatibility, among other factors.

버그 수정 릴리스가 제공되면 설치를 업그레이드하여 최신 보안 수정을 적용해야 합니다.

기타 정보

The severity level of vulnerabilities is calculated based on Severity Levels for Security Issues.

We'll continuously evaluate our policies based on customer feedback and will provide any updates or changes on this page.

FAQ

What is a security bug fix? Copy link to heading Copied! 보기 +
  

A security bug fix is a set of changes made to a system or application to address vulnerabilities that could potentially be exploited by hackers. These vulnerabilities, also known as security bugs, could lead to unauthorized access, data theft, or other malicious activities.

What is vulnerability? Copy link to heading Copied! 보기 +
  

Vulnerability refers to a weakness or flaw that may be exploited by a threat or risk. In the context of cybersecurity, a vulnerability could be a flaw in software, network, or system that allows unauthorized users to gain access, cause damage. This could include things like outdated software, weak passwords, or missing data encryption.

Where can I find more information on fixed vulnerabilities in Data Center products? Copy link to heading Copied! 보기 +
  

Atlassian publishes monthly Security Advisories and provides access to the Vulnerability Disclosure Portal. The Vulnerability Disclosure Portal is a central hub for information about disclosed vulnerabilities in any of our products. It is updated monthly with the release of each Security Bulletin and provides an easy way to search and access data from previous bulletins.

What is a Long Term Support release? Copy link to heading Copied! 보기 +
  

Long Term Support releases are for Data Center customers who prefer to allow more time to prepare for upgrades to new feature versions but still need to receive bug fixes. Some products will designate a particular version to be a Long Term Support release, which means that security bug fixes will be made available for the full 2-year support window.

What is a Feature release? Copy link to heading Copied! 보기 +
  

A Feature release is a version (for example, Jira Software 9.11) that contains new features or major changes to existing features and that hasn't been designated a Long Term Support release. Learn more about the Atlassian Bug Fixing Policy.