Consul/Hashicorp vulnerability management process?


As per internal risk assessments and validation of new tools, I was wondering if someone could provide better insight into how vulnerability management is handled in the Consul project (Or possibly for Hashicorp projects as a whole if the process is the same). I’ve tried to searching, but couldn’t find anything at a glance.

Do you include vulnerability identification steps into build process / CI jobs from Github, or expose some kind of endpoint that is viewable? Maybe a link to how people should responsibly disclose zero days or similar?

Would also be great to know how/if special care is given to security advisories and/or notices or if they are handled through normal changelogs/issues flow. Maybe there is a security related channel to subscribe to?

Thanks in advance!


Hi @johanssone,

hope this link answers some of your questions:

1 Like


Thanks a ton!