And maybe start watching the " Trust and security "  group

Do you have a link for me?

yes, Trust & Security - Atlassian Community

Thanks but that is too much info.

Maybe I should point it out more clearly. I am interested in new releases which are containing security fixes.

The releases are not broken down by what area they are fixing. 

Some releases may be just fixing a security issue.  Some releases may be fixing a non-security issue.  Some releases may add or improve a single function.

But most releases contain many changes and a complete mix of improvements, new stuff, non-security fixes and security fixes.

So, if you want to know about releases that contain security fixes, you need to look at ALL the releases.

Hehe, and who is doing it? Me, you, the customer...so many other people.

That should be optimized. Just saying. So far for me this topic is closed.

Even if you "optimised" it, you'd still be getting 90% of the release notes, there's almost always something in one that someone sees as a security thing.

You mean internally at Atlassian you are not clear about what is security related and what not? CVEs are scoring issues so you can just orientate yourself on that I would say.

It shouldn´t be so hard to declare that this security fix is a critical one and users should update immediately and get informed in this or that way.

Nope.

I'm not an Atlassian.

It's not Atlassian who judge it either.  I had two meetings today where security issues were discussed and one client's significant security concern is another client's "that's not a security issue".  CVEs are a good indicator, and I'd say "if it's a CVE it should be a security issue", but there's a whole load of stuff that one of today's clients classify as a security issue for which there is no CVE, and the other client does not class it as such.

There are some issues that are easy to flag as security issues, yes, but there's a surprisingly large subjective grey area.

And, users are informed if they want - you can subscribe to rhe releases (I prefer the RSS feed myself).  Critical security releases notify all registered holders of DC/Server licences irrespective of whether they've subscribed as well, it's part of the agreement that you'll be sent them.

Which rss feed to you use?

All of the release ones

(I don't bother with the EAPs, it's very rare consultants need to be tinkering with new features before release, and we hear about upcoming planned features and change through other routes)

I just thought more of you providing a link or two. Just as an example.

Sorry, I got this thread mixed up with another one that is talking about release announcements and content, where I had already posted https://developer.atlassian.com/platform/marketplace/early-access-program/ - that's why I mentioned EAPs - the page starts with them, but it's the second set of feeds that are more useful.

Nice, thx. :)

Yes @easyit you will get email with default settings, I'm also watching this page for new releases.

Noice, thx.