Bamboo 2.2 : Managing Bamboo Security
This page last changed on Nov 10, 2008 by alui.
As a distributed application, Bamboo's application-level security is important. This document contains links to version-specific security advisories and related documents for the Bamboo application.
On this page: Finding and Reporting a Security VulnerabilityOpen an issue on http://jira.atlassian.com in the Bamboo project.
All communication about the vulnerability should be performed through JIRA, so we can keep track of the issue and get a patch out as soon as possible. Publication of Bamboo Security AdvisoriesWhen a security issue in Bamboo is discovered and resolved, we will inform customers through the following mechanisms:
Severity LevelsAtlassian security advisories include a severity level, rating the vulnerability as one of the following:
Below is a summary of the factors which we use to decide on the severity level, and the implications for your installation. Severity Level: CriticalWe classify a vulnerability as critical if most or all of the following are true:
Severity Level: HighWe give a high severity level to those vulnerabilities which have the potential to become critical, but have one or more mitigating factors that make exploitation less attractive to attackers. For example, given a vulnerability which has many characteristics of the critical severity level, we would give it a level of high if any of the following are true:
Note: If the mitigating factor arises from a lack of technical details, the severity level would be elevated to critical if those details later became available. If your installation is mission-critical, you may want to treat this as a critical vulnerability. Severity Level: ModerateWe give a moderate severity level to those vulnerabilities where the scales are slightly tipped in favour of the potential victim. The following vulnerabilities are typically rated moderate:
Severity Level: LowWe give a low severity level to those vulnerabilities which by themselves have typically very little impact on an organisation's infrastructure. Exploitation of such vulnerabilities usually requires local or physical system access. Exploitation may result in client-side privacy or denial of service issues and leakage of information about organisational structure, system configuration and versions, or network topology.
Our Patch PolicyWhen a security issue is discovered, we will endeavour to:
Patches will generally be attached to the relevant JIRA issue. Security Advisories
|
![]() |
Document generated by Confluence on Mar 09, 2009 17:06 |