Dear Atlassian support,

we are using several of your products and had (again) in the team an extensive discussion in how we should use the bundled java version coming with a specific release or using the system wide java which is patched every 3 months following the Oracle quarterly announcements. Let me briefly summarize:

using always the latest system wide java bundle would make the atlassian product more secure, but there could be the chance that the product will not work anymore since we would use a version of java which is not anymore the bundled one which came originally with a specific version, like for Jira or so

alternatively, always update to the latest atlassian release assuming that the combination java bundle/software stack is secure

Since we have so many instances, following any of the two approaches mentioned above would be very time consuming, it would be by far more efficient if we would just be informed if a specific release of an atlassian software (including the java bundle) is a security risk, My question now is: is this information available at your end ? Do you bother about it or are you assuming that customers always use the latest versions ? So, it's basically the following: we installed Jira (incl. the java bundle) a year ago, that is the release we have. Assume now that the latest java release from Oracle comes out now and has a severe vulnerability which applies and can be exploited using the version of Jira we installed a year ago, do you then inform customers about it ? If so, would this information also provided to other security entities like the US-CERT and would be part of their weekly announcements ? Sorry for this very long email, but I'm sure your answer will help in our discussion, so, what would you recommend to to ?

Kind regards