Been using Graylog for a while now via a Kubernetes stack. Love the software.
Internally we run a security scanner that identifies packages within containers that have security vulnerabilities. All the ones we review and report have fixes available. In the current iteration of Graylog 3.3.5 there are several java package related security vulnerabilities that probably should be addressed by updating the package. I verified their current versions in the pom.xml file. I looked through the forums but didn’t see any discussion about either one or how to go about reporting such things.
Is there a procedure that should be followed? I would be happy to share our report I just didn’t want to make it public at the start.