Mark Your Calendars: Introducing Monthly Security Disclosures
The first step in keeping your Atlassian server and DC products secure is keeping them current, and we’re making it easier to stay up-to-date with our new monthly Security Bulletin and searchable Vulnerability Disclosure Portal! Launched last month, these disclosures support security best practices by issuing updates on a regular maintenance schedule and offer enhanced transparency into the range of risks mitigated under each new version. Atlassian will continue to issue Critical Security Advisories for vulnerabilities requiring immediate action.
On the third Tuesday of each month, the Security Bulletin will be posted at Security Advisories and the disclosed vulnerabilities will be added to the Vulnerability Disclosure Portal Security at Atlassian: Vulnerabilities. You can register for Security Bulletin alerts in the Tech Alerts section of the your email preferences.
Keep reading to learn more about what you can expect from our new security disclosures.
Security Bulletin
The Security Bulletin will provide you with detailed information about the vulnerabilities mitigated in new versions, allowing you to make more informed decisions about updating our products outside of Critical Security Advisories requiring immediate action.
In addition to version upgrade recommendations, each Security Bulletin includes a high-level summary of the vulnerability, the CVSS score and severity (severity does not reflect risk; read more about CVSS), CVE ID, and a link to the detailed ticket on jira.atlassian.com.
Vulnerability Disclosure Portal
The Vulnerability Disclosure Portal is a central hub for information about disclosed vulnerabilities in any of our products. It is updated monthly with the release of each Security Bulletin and provides an easy way to search and access data from previous bulletins.
Portal data and filtering capabilities are also available through our Security Vulnerability API for customers who wish to reach this data programmatically.
Vulnerability Disclosure Portal, Security at Atlassian: Vulnerabilities
More details can be found by clicking on any of the CVEs.
FAQs
What types of vulnerabilities will be included in the Security Bulletin?
Security Bulletin disclosures include unique critical and high-severity vulnerabilities as well as dependency vulnerabilities, for our server and DC products.
Is there a Security Bulletin for Cloud customers?
No, the Security Bulletin is for server and DC products only. We are able to seamlessly patch Cloud vulnerabilities without any action required on the part of the customer. For information on Atlassian cloud security, see our Security page.
What do customers need to do when a Security Bulletin is released?
Upgrading to new versions in a timely manner is an important step in keeping your Atlassian server and DC products secure, and we encourage customers to keep versions current. Though we will continue to issue Critical Security Advisories for vulnerabilities requiring immediate action, our goal with the Security Bulletin is to issue non-critical updates that can be supported on a regular maintenance schedule.
Is this change due to an increase in the number of vulnerabilities in Atlassian products?
No, the Security Bulletin and Portal are an enhancement to our ability to disclose fixed vulnerabilities, and do not reflect any changes in our processes to identify and fix them. The types of fixed vulnerabilities you will see in the new disclosures were previously fixed in released product versions. With this new monthly cadence, we’re able to offer greater transparency into the list of vulnerabilities mitigated under each new version (not just the most pressing) and encourage customers to support security best practices with a regular maintenance schedule. Atlassian will continue to issue Critical Security Advisories for vulnerabilities requiring immediate action.
When will the next bulletin be released?
The next bulletin will be released on Aug 15, 2023, you will be able to find it here.
Was this helpful?
Thanks!
Erin Jensby
6 comments