POV asked. What's your POV around vulnerabilities in containers and the responsibility from the Platform team as supplier of these images? f.e. Stackdriver image delivered with a vulnerability, current statement platform team: this is impacting most prometheus related things. As we don’t do custom/patched builds we cannot fix it. The CVE is in SSH related code, which is not relevant to us. Statement security team, hackers don't give a f*, fork it patch it, or use something else.

I'm closer to the latter statement. Software Supply Chains are complex enough that it's hard enough for teams to keep track of and respond to vulnerabilities in their direct dependencies. Asking them to investigate or workaround the dependencies of their dependencies isn't reasonable. You don't want different users of your platform having to create & maintain custom forks of the core components of your platform containers. In the long run this is going to severely affect your platform. This assumes that the vulnerability in question is of sufficient severity that corporate security standards require that it be addressed. If there's a sufficiently vulnerable security hole, it needs to be addressed. Presumably, the team which introduced the vulnerable technology is in the best place to do it. Saying "we supplied this security hole but won't fix it" seems unacceptable.