...
- Team ACKs security report.
- Team investigates report and either rejects it or accepts it.
- If rejected, write to submitter and explain why.
- If accepted, write to submitter and let them know it is accepted and we are working on a fix.
- Request a CVE number from security@a.o
- Agree on a fix on our private@ list.
- Provide the submitter with a copy of the fix and a draft vulnerability announcement for comment.
- Reach an agreement for the fix, announcement and release schedule with the submitter.
- Commit the fix in all actively maintained releases.
- Roll a release for each actively maintained branch (unreleased trunk can wait.)
- Announce the vulnerability (users, dev, security@a.o, bug-traqbugtraq at securityfocus.com, full-disclosure at lists.grok.org.uk and project security pages)
- Update the svn log to include the CVE number.
...