Vulnerabilities come in all shapes and sizes. So the answer here does depend on what kind of vulnerability this is. We have defined a Security Bug Fix Policy that explains how we evaluate a security bug's CVSS (v2 and v3) scores. Those scores will determine the timeframe in which Atlassian expects to provide a fix.
I'd also recommend checking out our Security Advisory Publishing Policy and our Our Approach to Vulnerability Management for more information about how Atlassian operates when it comes to such vulnerabilities.
I hope this helps.
Hi Community! We're thrilled to share that Team Calendars for Confluence is now a built-in feature for Confluence Data Center releases 7.11 and beyond. A long time favorite, Team Cale...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events