...
- Some way to mark Jira's as securituy related and therefore private.
Proposed Vulnerability Procedure
Acknowledge receipt of vulnerability report
Privately verify vulnerability and create patch and/or workaround
Privately notification (Apereo members in good standing, commercial support subscribers)
Grace period for notified deployers to patch or workaround
Community notification with patch/workaround
Grade period
Public disclosure - CVE, http://cve.mitre.org/, etc