It is our policy to maintain container images free of all fixed operating system vulnerabilities (CVEs) for all images that we package along with the Replicated product. This does not include the images distributed by the Vendor that comprise the Vendor’s application, and it will be up to the Vendor to maintain these images. We ensure that any release of the product is free of vulnerabilities at the time of that release, and do not backport these vulnerability patches to prior releases. We recommend that all Replicated installations are updated at the time of each release to stay up-to-date with the most current vulnerability patches. You can subscribe to Replicated release notifications at Release-notes - Replicated Release Notes.
We maintain a list of patched CVEs for each release of Replicated. In the interest of responsible disclosure, it is not our policy to make this list public. We will provide this list to our vendors upon request. Please email us at support@replicated.com for more information.