...

1. Cleaning up and automating the build and publishing process to enable releases to be cut quickly by whoever is available.
2. No "grace periods" or "private discussions"; publicly discuss asap.
3. Ideally set up a conference call to initiate discussion on how to resolve the issue and to assign responsibilities.
4. Set up a secure communication channel for security advisories and notifications.  Perhaps update a public websites.

Current process:

1. 1. Don't open JIRA IssuesOpen a JIRA "private security" issue.  It must be an issue, not just a change in "type".  Just changing the type doesn't help.
   2. Don't open pull requests; do a direct commit
   3. Cut the security releases including release notes.
   4. Community Notification
   5. After announcement, create JIRA's.
   6. Three possibilities: 
      1. No grace period - Everyone knows before people can patch + poeople  who follow many projects on bugtraq know right away
      2. 15 business day grace period - People watching bugtraq will be unhappy with what looks sloppy reporting + Lets adopters try to patch first
      3. short grace period  - People don't really have time to benifit.
   7. Public disclosure: bugtraq

...