Hi developer community,
At Atlassian we’ve always taken the security of our Server and Data Center products seriously. Our vulnerability management program uses an array of approaches for finding and fixing security issues, including a top tier bug bounty program. While we have invested in security and keeping third party code up to date, we are doubling down in this space as security attacks become more common and more sophisticated.
With improved tools and processes in place, we are increasing our coverage to meet the security demands that are critical to our customers. The focus of this effort is to identify and fix vulnerabilities in third party code bundled with our products. This includes fixing vulnerabilities in unreachable third party code.
To best address this, we will be identifying and upgrading our products core components and libraries to the newest versions. We will not break our official APIs, however, certain libraries, transitive dependencies, internal implementation, and behaviours might change. We want to inform you regarding these plans because there might be some impact on your apps and customers that we are not able to anticipate.
In the coming months we will be informing you of these changes via the existing release processes for Atlassian’s self-managed products:
- For Jira Server and Data Center: we will posting the necessary information in the EAPs we publish with each release. Please look for Upgraded dependencies and libraries section for detailed list of changes.
- For Confluence Server and Data Center: the information will be listed in the EAPs documentation as well.
- For Crowd, Bitbucket, Bamboo and other self-managed products: the information will be shared at a later date.
If you have any questions or feedback for us, please leave us a comment under this post.
Product Manager, Server and Data Center