Bioconductor is not a monolithic application, but a (large) collection of software packages.
All new Bioconductor package contributions receive a technical review, but this does not specifically target security vulnerabilities.
Once accepted, maintainers make commits to our git repository. There is little code review at this stage.
Bioconductor packages are almost exclusively source (R, C, C++, Fortran, etc) code in git. The main dependencies are therefore R itself, and system library dependencies. Generally, system dependencies must be satisfied by the user, and hence vulnerabilities in these libraries are not under our control. R itself responds promptly to security vulnerabilities. We try to maintain our own systems in a reasonably current state, with regular application of security and other OS updates.
The path from our git repository to build system to public repository is through https.
Our response is like our response to this query -- prompt assessment of the concern and immediate action, e.g., removing problematic packages from our public repositories, notifying upstream sources, and if necessary sharing concerns with our community through this support site, our developer mailing list, and our community slack.