As Jenkins is a web application, it is not immune from vulnerabilities. So I recommend anyone running Jenkins seriously to watch out for security advisories and keep your instance up to date.
This is especially true for those who are running Jenkins on the public Internet, but it is also true for those who are running Jenkins inside a corporate firewall. Some of the security vulnerabilities involve mounting an attack from a user - for example, a disgruntled employee - inside a firewall from the Internet, tricking his browser into doing things to your intranet Jenkins!
When a security issue is reported, we work on it. Once a fix is developed, we post mainline and LTS releases (more or less simultaneously for security updates, so far), so that users of both release lines have an immediate fix to the problem. Ditto for users of Jenkins Enterprise by CloudBees.
The Jenkins project then issues a security advisory, to make people aware of the newly-discovered-and-resolved security issue. One way to subscribe to the security advisories is to subscribe to a mailing list . You can also subscribe to
Stay up to date
We'll never share your email address and you can opt out at any time, we promise.