If you think you have discovered a security issue in any of the Hyperledger projects, we'd love to hear from you. We will take all security bugs seriously and if confirmed upon investigation we will patch it within a reasonable amount of time and release a public security bulletin discussing the impact and credit the discoverer.
There are two email addresses where Hyperledger Besu accepts security bugs. The first, security "dash" besu at lists dot hyperledger dot org is limited to a subset of Hyperledger Besu maintainers and Hyperledger staff. For highly sensitive bugs this is a preferred address. The second email address security at hyperledger dot org is limited to a subset of maintainers and staff of all Hyperledger projects, and may be viewed by maintainers outside of Hyperledger Besu. When sending information to either of these emails please be sure to include a description of the flaw and any related information (e.g. reproduction steps, version, known active use).
The process by which the Hyperledger Security Team handles security bugs is documented further in our Defect Response page on our wiki.