Regrettably Docker has let me know they are uninterested in taking any action.
"Hello,
This does not qualify as an infringement to our Terms of Use policy. Deprecating such images and repo(s) is the responsibility of the owner and we recommend you reach out to them.
Docker advises its users to opt into using images under our official programs and offerings such as Docker Official Images and Docker Hardened Images.
Thank you,
Security@Docker"
In their ToU under section 6.6, they outline how they may scan images for vulnerabilities and request the owners of said packages fix it, or simply remove it from their site. They clearly do not do this though even when notified of the high criticality vulnerability.
"Hello,
This does not qualify as an infringement to our Terms of Use policy. Deprecating such images and repo(s) is the responsibility of the owner and we recommend you reach out to them. Docker advises its users to opt into using images under our official programs and offerings such as Docker Official Images and Docker Hardened Images.
Thank you, Security@Docker"
In their ToU under section 6.6, they outline how they may scan images for vulnerabilities and request the owners of said packages fix it, or simply remove it from their site. They clearly do not do this though even when notified of the high criticality vulnerability.