Linux kernel non-disclosure policy
Proving that open-source security has not improved much since it relied on the idea of getting enough eyeballs to make bugs shallow, Linus Torvalds demonstrated his incompetence at handling security issues by defending silent patching of security vulnerabilities in the Linux kernel:
So I personally consider security bugs to be just “normal bugs”. I don’t cover them up, but I also don’t have any reason what-so-ever to think it’s a good idea to track them and announce them as something special.
Adding insult to injury:
Btw, and you may not like this, since you are so focused on security, one reason I refuse to bother with the whole security circus is that I think it glorifies – and thus encourages – the wrong behavior.
It makes “heroes” out of security people, as if the people who don’t just fix normal bugs aren’t as important.
For more background on the current Linux security fiasco, see this thread on Dailydave.