...
An exceptions are security-related bug fixes that are fixed within a specific timeframe as described here: App security incident management guidelines
Security Bug Fix Policy
We follow Atlassian’s Security Bug Fix Policy on how to solve security issues in our Cloud, Server and Datacenter apps.
Medium severity level
Medium severity vulnerabilities will be fixed within 8 weeks of coming to our knowledge and will be included in the next scheduled bug fix release.
...
High severity level
High severity vulnerabilities will be fixed within 6 weeks of coming to our knowledge and will be included in the next scheduled bug fix release.
Moreover, these types of vulnerabilities are explicitly reported on our release notes: Release notes
...
Critical severity level
Critical severity vulnerabilities will be fixed within 4 weeks of coming to our knowledge and will be released as a bug fix release as soon as possible.
Moreover, these types of vulnerabilities are explicitly reported on our release notes: Release notes
Furthermore we will send a Security Advisory email to all known customers and evaluators, i.e. the contacts for the licenses registered at my.atlassian.com.