OVNKubernetes repo uses the dependabot which does automatic security updates by scanning the repo and opening PRs to update the effected libraries.

To report a vulnerability, please use the Private Vulnerability Reporting Feature on GitHub. We will endevour to respond within 48hrs of reporting. If a vulnerability is reported but considered low priority it may be converted into an issue and handled on the public issue tracker. Should a vulnerability be considered severe we will endeavour to patch it within 48hrs of acceptance, and may ask for you to collaborate with us on a temporary private fork of the repository.