This page last changed on Feb 03, 2008 by alui.

Application Security Overview

As a distributed application, Bamboo's application-level security is important. This document contains links to version-specific security advisories for the Bamboo application.

This document is intended to provide information to system administrators about the security of the Bamboo application. It does not address Bamboo's internal security model – user management and permissions – except as it relates to the overall application security.

Vulnerabilities, Advisories and Patches.

If you find a security bug in Bamboo

Open an issue on http://jira.atlassian.com in the Bamboo project.

  • Set the priority of the bug to "Blocker"
  • Provide as much information on reproducing the bug as possible
  • Set the security level of the bug to "Developer and Reporters only"

All communication about the vulnerability should be performed through JIRA, so we can keep track of the issue and get a patch out as soon as possible.

Bamboo Security Advisories

When a security issue in Bamboo is discovered and resolved, we will inform customers through the following mechanisms:

  • A security advisory will be posted on this page
  • A copy of the advisory will be sent to the bamboo-users and bamboo-announce mailing-lists (subscribe here). These lists are mirrored on our forums
  • If the person who reported the issue wants to publish an advisory through some other agency (for example, CERT), we'll assist in the production of that advisory, and link to it from our own.

Our Patch Policy

When a security issue is discovered, we will endeavour to:

  • issue a new, fixed Bamboo version as soon as possible
  • issue a patch to the current stable version of Bamboo
  • issue patches for older versions of Bamboo if feasible

Patches will generally be attached to the relevant JIRA issue.

Past Security Advisories

Document generated by Confluence on Apr 14, 2008 01:39