...
Depending on the level of the CVE we may notify customers at this point. This would be driven by the technical contact found from the Atlassian billing system (applies to DataCenter Data Center customers only), allowing a mail merge notification.
When a remediation and a fix has been made available, we will issue a further/final notification to that effect, again for DataCenter Data Center customers only.
Server Customer notifications
We won’t can’t guarantee notify Server customers directly as we don’t centrally store end user technical contacts. A request would be made to Atlassian for technical contact info for Server customers, enabling a mail merge notification.
There will be a blog entry on our app space (here) as well as obvious references in the app release notes. Customers of Server can subscribe to the Marketplace App entry to be notified of new versions.
...
The JEMH Server/DC app has an active Bug Bounty rewards programme run by https://www.bugcrowd.com/ where researchers can log vulnerabilitesvulnerabilities.
Advising us of a CVE
Demonstrable CVE exploits can be logged by anyone directly through our support portal https://thepluginpeople.atlassian.net/servicedesk/customer/portal/1, we do not pay out for vulnerabilities logged in this way.
...