Out of contract security patches

We currently have an active support license for the download edition of Jira, I was wondering what would happen once our license expires if another issue crops up like the one in todays security alert?

On the atlassian site it talks about renewing your software maintenance as being entirely optional (http://www.atlassian.com/licensing/purchase-licensing#softwaremaintenance-2) and talks about giving you new features and online support - but no mention of security fixes.

I'd hope that critical security patches would be released to everyone, regardless of support contract status, at least for a reasonable lifetime of the product ... but I can't find a clear statement either way.

2 answers

1 accepted

As per your link, "After the first 12 months, your software maintenance will expire and you will no longer be able to receive technical support or software updates."

I think it depends on the natural of the security patch. In instances where I've seen only particular jars are patched, you can easily do that, but when it's a totally new version release then you'd need a license.

The security advisory today seemed pretty serious (potential admin access for non-account holders), and came with some links to patches for older releases, so I guess you'd be able to apply those without a current license? ... but would we still have been sent the security alert emails to even find out about the issue?

Hi, are you referring to the Bamboo Security issue? https://jira.atlassian.com/browse/BAM-12066 - the one here's definitely a patch on some files. As it's not a version upgrade, it should be fine.

Edit: same for JIRA https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-08-28 - provided you're on a version that can be patched. Edit: however, this JIRA one does need upgrading to JIRA 5.1. Not all the issues can be solved by patching.

It was this one in particular (one of the issues in the Jira advisory you linked to) that'd concern me the most: https://jira.atlassian.com/browse/JRA-29403.

When out of contract would we still get these security advisory emails so we could at least look into whether a patch is available, and if not weigh up the pros/cons of renewing the license for an upgrade? Or would we only find out if we got hacked?

I'd be worried too, but even more problematic is that we'll have issues upgrading due to plugins that we use. I think this is the same with most companies though - support/updates are subscription based. Nothing I see out of the norm.

I understand that updates would only be available to users with a current/active subscription. Like you say, there's nothing out of the ordinary there. I was just looking for some clarity. It'd be nice if the benefits of renewing software maintenance in the licensing FAQ could be reworded as 'If you're after new features, ever improving usability, critical security patches and the latest innovations in issue tracking ...' ;)

There's still the issue of (when support subscription expires) not being made aware of critical security issues that could be worth re-subscribing to address (or to find out about available workarounds for those not able to update), but it looks like that can easily be solved by putting a watch on this page: https://confluence.atlassian.com/display/JIRA/Security+Advisories .... so, that's what I've done.

I don't think Atlassian would restrict security patches based on being in contract or not. The last thing they want is stories about their software being hacked, like the ASF one. As Harry said the security patches are just patches, providing the version you use is still in the support window you should be able to install it.

My point really is that it would be entirely counter-productive for Atlassian to deny access to security patches, so you should probably not worry.

~~~ spam ~~~

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published Monday in Jira Software

How large do you think Jira Software can grow?

Hi Atlassian Community! My name is Shana, and I’m on the Jira Software team. One of the many reasons this Community exists is to connect you to others on similar product journeys or with comparabl...

708 views 6 13
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you