Bugcrowd security issue #1 on SQL Connector

Current status:

• Discovered on Thursday 9pm,

• The immediate vulnerability was closed within 4 hours,

• Atlassian was notified within 4 hrs,

• The users (i.e. the email on the licenses) were notified within 24hrs,

• Many restrictions to avoid similar vulnerabilities were created in the following 3 days,

• We've announced the end-of-life of the SQL Connector at the same time. There are many alternatives on the Atlassian Marketplace.

Current status:

• Waiting for detailed information from the security researcher,

• Writing the communication to customers, to publish tomorrow after collecting their contacts,

• We'll need to investigate adjacent vulnerabilities.

The immediate vulnerability is fixed.
DB not accessible from the public.
Atlassian is informed.
App secret was changed, too.