Hello,
What is the Percona position on vulnerability management and disclosure, and are there any plans to tie this into recognised sources like the National Vulnerability Database etc.?
The reason I ask is no vulnerabilities will be shown for Percona Server for MongoDB (PSMDB) in common security tooling like Nessus, Wiz etc. which many companies require for compliance and remediation.
I see forum posts ( Security Advisory: Percona Server for MongoDB 🚨 , MongoBleed Impact and Mitigation: How to Protect Your MongoDB Servers ) and blogs which is great, but not an ideal source for critical vulnerability management.
I’ve scoured the GitHub docs, Jira and this forum but couldn’t find any authoritative information on the approach.
I can see some past forum posts on this but not specific to MongoDB.
There are also a number of posts are asking if a product contains a CVE which could potentially be solved by reporting.
Thanks,
William