As per internal risk assessments and validation of new tools, I was wondering if someone could provide better insight into how vulnerability management is handled in the Consul project (Or possibly for Hashicorp projects as a whole if the process is the same). I’ve tried to searching consul.io, but couldn’t find anything at a glance.
Do you include vulnerability identification steps into build process / CI jobs from Github, or expose some kind of endpoint that is viewable? Maybe a link to how people should responsibly disclose zero days or similar?
Would also be great to know how/if special care is given to security advisories and/or notices or if they are handled through normal changelogs/issues flow. Maybe there is a security related channel to subscribe to?
Thanks in advance!