Security Bug Fix Policy
Scope
This policy describes how and when we may resolve security vulnerabilities in our products.
Security bug fix service level objectives (SLOs)
Atlassian sets service level objectives for fixing security vulnerabilities based on the security severity level and the affected product. We've defined the following timeframe objectives for fixing security issues in our products:
Accelerated Resolution Objectives
These timeframes apply to:
- All cloud-based Atlassian products
- Any software or system managed by Atlassian
- Any software or system running on Atlassian infrastructure
- Jira Align, cloud and self-managed releases
Depending on the vulnerability level, we defined the following timelines for applying the fix in a product after verifying:
- Critical - 14 days
- High - 28 days
- Medium - 42 days
- Low - 175 days
Extended Resolution Timeframes
These timeframe objectives apply to all Data Center Atlassian products. Data center products are installed by customers on customer-managed systems and include Atlassian's Data Center and mobile apps.
- Critical, High, and Medium severity vulnerabilities to be fixed in a product within 90 days of being verified
- Low severity vulnerabilities to be fixed in a product within 180 days of being verified
Shared responsibility model
While Atlassian is committed to delivering secure products out of the box, we also rely on a shared responsibility model. This model requires customers to implement practices that continue beyond deployment and extend into operational phases. Some of these responsibilities include:
- Operating Atlassian software on private networks.
- Ensuring timely implementation of security fixes once they're released.
- Configuring Web Application Firewalls (WAF), VPNs, multi-factor authentication, and single sign-on.
- Implementing encryption and access controls.
- Performing regular backups.
- Conducting regular security audits.
Critical Vulnerabilities
When a critical vulnerability is discovered by Atlassian or reported by a third party, Atlassian will take the following actions:
- For cloud products, we will ship a new fixed release for the affected product as soon as possible
- For self-managed products, we will:
- Ship a bug fix release for the latest feature release of the affected product.
- Ship a new feature release for the affected product on the release schedule.
- Ship a bug fix release for all supported LTS releases of the affected product, in accordance with the Atlassian Support End of Life Policy.
Product | Back port policy | Example |
|---|---|---|
| Jira Software Server and Data Center Jira Server and Data Center Jira Service Management Server and Data Center (previously known as Jira Service Desk) | Issue new bug fix releases for:
| For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:
|
| Confluence Server and Data Center | Issue new bug fix releases for:
| For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:
|
| Bitbucket Server and Data Center | Issue new bug fix releases for:
| For example, if a critical security bug fix is developed on 1 January 2020, the following new bug fix releases would need to be produced:
Bitbucket 6.3.0 was released on 14 May 2019, more than 6 months before the date of the fix. If it was designated a Long Term Support release, a bug fix release would also be produced. |
| We will only issue new bug fix releases for the current and previous feature release version. | For example, if a critical security bug fix is developed on 1 January 2020 for Bamboo, the following new bug fix releases would need to be produced:
|
For Crowd, Fisheye, and Crucible, we will provide a bug fix release for the latest feature release of the affected product.
Examples of critical vulnerability fixes for self-managed products:
If a critical vulnerability fix is developed on Feb 1, 2024, the following are example releases that would receive the bug fix:
Product | Example |
|---|---|
| Jira Software | Example Jira Software 9.13.x because 9.13.0 is the latest feature release |
| Example Jira Software 9.12.x because 9.12.0 is the latest Long Term Support release | |
| Example Jira Software 9.4.x because 9.4.0 is the previous Long Term Support release | |
| Jira Service Management | Example Jira Service Management 5.13.x because 5.13.0 is the latest feature release |
| Example Jira Service Management 5.12.x because 5.12.0 is the latest Long Term Support release | |
| Example Jira Service Management 5.4.x because 5.4.0 is the second latest supported Long Term Support release | |
| Confluence | Example Confluence 8.7.x because 8.7.0 is the latest feature release |
| Example Confluence 8.5.x because 8.5.0 is the latest Long Term Support release | |
| Example Confluence 7.19.x because 7.19.0 is the second latest supported Long Term Support release | |
| Bitbucket | Example Bitbucket 8.17.x because 8.17.0 is the latest feature release |
| Example Bitbucket 8.9.x because 8.9.0 is the latest Long Term Support release | |
| Example Bitbucket 7.21.x because 7.21.0 is the second latest supported Long Term Support release | |
| Bamboo | Example Bamboo 9.5.x because 9.5.0 is the latest feature release |
| Example Bamboo 9.2.x because 9.2.0 is the latest Long Term Support release | |
| Crowd | Example Crowd 5.3.x because 5.3.0 is the latest feature release |
| Fisheye/Crucible | Example Fisheye/Crucible 4.8.x because 4.8.0 is the latest feature release |
No other product versions would receive new bug fixes.
Frequent upgrades ensure that your product instances are secure. It's a best practice to stay on the latest bug fix release of the latest feature release or LTS release of your product.
Non-critical vulnerabilities
When a security issue of High, Medium, or Low severity is discovered, Atlassian will aim to release a fix within the service level objectives listed at the beginning of this document. If feasible, the fix may also be backported to Long-Term Support releases. The feasibility of backporting is influenced by a variety of factors, including software dependencies, architectural modifications, and compatibility issues, among others.
To ensure your installations contain the latest security fixes, upgrade them whenever a bug fix release becomes available.
Other information
The severity level of vulnerabilities is calculated based on Severity Levels for Security Issues.
We'll continuously evaluate our policies based on customer feedback and provide any updates or changes on this page.