It is an unfortunate practice at Atlassian to as a part of release notes release all the information, often including example exploits, about security vulnerabilities that were fixed in the version being released.

This gives us great headaches because:

• we often don't know when the next release is because of varying release dates, so we can't plan ahead
• we might not be able to drop everything and rush to upgrade our version of Confluence the day when the new version is released

We would prefer much more to be just notified that the latest release fixes security vulnerabilities, and have a period of e.g. 30 or more days to upgrade before any details are revealed publicly. This is how many projects (open sourced, or commercial) work and this practice is favored in the security community as well.