The security advisory today seemed pretty serious (potential admin access for non-account holders), and came with some links to patches for older releases, so I guess you'd be able to apply those without a current license? ... but would we still have been sent the security alert emails to even find out about the issue?

Hi, are you referring to the Bamboo Security issue? https://jira.atlassian.com/browse/BAM-12066 - the one here's definitely a patch on some files. As it's not a version upgrade, it should be fine.

Edit: same for JIRA https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2012-08-28 - provided you're on a version that can be patched. Edit: however, this JIRA one does need upgrading to JIRA 5.1. Not all the issues can be solved by patching.

It was this one in particular (one of the issues in the Jira advisory you linked to) that'd concern me the most: https://jira.atlassian.com/browse/JRA-29403.

When out of contract would we still get these security advisory emails so we could at least look into whether a patch is available, and if not weigh up the pros/cons of renewing the license for an upgrade? Or would we only find out if we got hacked?

I'd be worried too, but even more problematic is that we'll have issues upgrading due to plugins that we use. I think this is the same with most companies though - support/updates are subscription based. Nothing I see out of the norm.

I understand that updates would only be available to users with a current/active subscription. Like you say, there's nothing out of the ordinary there. I was just looking for some clarity. It'd be nice if the benefits of renewing software maintenance in the licensing FAQ could be reworded as 'If you're after new features, ever improving usability, critical security patches and the latest innovations in issue tracking ...' ;)

There's still the issue of (when support subscription expires) not being made aware of critical security issues that could be worth re-subscribing to address (or to find out about available workarounds for those not able to update), but it looks like that can easily be solved by putting a watch on this page: https://confluence.atlassian.com/display/JIRA/Security+Advisories .... so, that's what I've done.

I don't think Atlassian would restrict security patches based on being in contract or not. The last thing they want is stories about their software being hacked, like the ASF one. As Harry said the security patches are just patches, providing the version you use is still in the support window you should be able to install it.

My point really is that it would be entirely counter-productive for Atlassian to deny access to security patches, so you should probably not worry.