Vulnerabilities in Corda can be reported by following the Corda responsible disclosure policy:

https://www.corda.net/participate/security.html

Security announcements affecting Corda will be published on the Corda mailing list. People can subscribe to corda-announce@groups.io to receive security updates when they are made available.

Security updates are made for the latest version of Corda.