Security Bulletin Changes

At JetBrains, we do our best to make sure our software is free of vulnerabilities. If we encounter a security problem or if external researchers alert us to one, we follow our Coordinated Disclosure Policy to address the issue. As a part of this process, we share information about vulnerabilities publicly to encourage our customers to update JetBrains products to new versions with the appropriate fixes.
For the last several years, we have published the JetBrains Security Bulletin on our blog and sent emails to Bulletin subscribers quarterly. However, this approach created an unwanted delay between the release of new versions and the publication of information about vulnerabilities. We also receive a lot of questions about vulnerable product versions from our customers.

New page with all fixed security issues

To help you answer these questions, we’ve created a page with information about fixed security issues. It contains information about all of the vulnerabilities that we’ve ever resolved, across all JetBrains products and services. Similar to the Security Bulletin, you’ll find the issue description, fix version, CWE (Common Weakness Enumeration) ID, and assigned CVE (if applicable) for each issue. We’ve also added the ability to filter the results, so you can review only the issues relevant to the product you are interested in. 

We plan to add information about fixed security issues to the page when new product versions are released, so you’ll be able to learn about security updates for JetBrains products faster than before.

Emails will be sent monthly

For those who receive the Bulletin via email, the process will remain mostly the same but with just one change: we will create our digest of fixed issues monthly instead of quarterly. If you are already subscribed, no action is needed from your side. If you want to subscribe, please do so here.

JetBrains becomes a CNA

One more thing to report is that JetBrains has been authorized by the CVE Program as a CVE Numbering Authority (CNA). A CNA is an organization responsible for the regular assignment of CVE IDs to vulnerabilities, and for creating and publishing information about the vulnerabilities in the associated CVE Records. Each CNA has a specific scope of responsibility for vulnerability identification and publishing.

Once we discover a security issue in a JetBrains product, we always add information about the issue to the CVE List to provide consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.  

As a CNA, JetBrains will be able to:

  • Assign CVE IDs for issues discovered in JetBrains products faster.
  • Provide the most accurate information for the CVE list (description, impact, and root cause).

If you have any questions about our approach, please feel free to get in touch with us at security@jetbrains.com.

Stay safe,

The JetBrains team

image description