[smokey_circles]

1) why would you not use a vpn or other gateway between confluence server and the internet?

2) presumably for the same reason they ran confluence as root: no idea what they're doing (forgivable) or lazy (unforgivable)

[bombcar]

Also a surprisingly large number of publicly available documentation is hosted on internet-open confluence pages.

[perlgeek]

Have you looked at the security of VPN products in the past 2ish years? Basically every one of the big ones had several really dumb and easily exploitable RCEs.

It doesn't really help you to use a security product in front of your vulnerable product when the security product turns out to be roughly equally vulnerable.