If O365 can't find the email and the O365 message tracing does not show anything, it seems likely that the mail was not actually delivered by Atlassian. If O365 looses mails and these mails do not show up in message tracing either (i.e., not classified as spam), we would probably have heard about that by now.
Also, regardless of whether or not I received the mail, the initial mail stated that only authorized users could exploit this. So Atlassian did not inform any of their users fully until Sep 4, whereas they were well aware on Aug 26 that the vulnerability was exploitable by anyone.
> If O365 looses mails and these mails do not show up in message tracing either (i.e., not classified as spam), we would probably have heard about that by now.
Internet email has never been considered a highly-reliable messaging system; its quite possible an infrequent data loss in a mail server would get misattributed to a failure outside.
Heck, even ignoring the unreliability of email generally, in fact, your assumption that it must not occur because you haven't previously heard about it demonstrates how that might happen.
> Internet email has never been considered a highly-reliable messaging system
While that may be true, it seems vastly less likely to be the cause for the GP not receiving precisely this mail... Given that several other commenters only on this page mention not being able to find any evidence of having received this particular missive, William of Ockham would fall over with laughter at the idea that they all just happened to have email system glitches at the exact same mail.
But that is not the main point. Even if the email was lost somewhere in Office 365, people were already pointing out to Atlassian that they should really send a follow up on Aug 27:
The follow-up-request was to notify users that the advisory has been updated, not to ensure that customers received the Aug 25 email which linked to that advisory.
Either is was Atlassian's mailing list software which did not attempt to re-send the email to you after it noticed that the connection got dropped (should that have happened), or is was Microsoft which dropped the email after receiving it, but before storing it into the database and assigning it to your account.
You cannot know who is responsible for this delivery error unless you ask them directly.
They absolutely do silent drops of email they consider suspect. Anybody who works with email can tell you this. What this metric is nobody knows outside their walls. Google and other big providers do this too, some regard Microsoft a bit more skittish perhaps.
Also, regardless of whether or not I received the mail, the initial mail stated that only authorized users could exploit this. So Atlassian did not inform any of their users fully until Sep 4, whereas they were well aware on Aug 26 that the vulnerability was exploitable by anyone.