Publishing Policy
When a critical severity security vulnerability is discovered and resolved, we will inform customers through the following mechanisms:
- We will post a security advisory on https://confluence.xpand-it.com/display/XRAY/Security+Advisories at the same time as releasing a fix for the vulnerability.
- We will send an email copy of all critical security advisories to the technical contacts we have in our database.
If you want to track non-critical severity security vulnerabilities, you need to monitor the issue trackers for the relevant products on https://jira.xpand-it.com/, for example, https://jira.xpand-it.com/browse/XRAY for Xray for Jira Server and Data Center. Security issues are marked with security labels: security_vulnerability_critical, security_vulnerability_high, security_vulnerability_medium, security_vulnerability_low).
All security issues will be listed in the release notes of the release where they have been fixed, similar to other bugs.