...

1. Cleaning up and automating the build and publishing process to enable releases to be cut quickly by whoever is available.
2. No "grace periods" or "private discussions"; publicly discuss asap.
3. Ideally set up a conference call to initiate discussion on how to resolve the issue and to assign responsibilities.
4. Set up a secure communication channel for security advisories and notifications.  Perhaps update a public websites.

Current process:

1. 1. Don't open JIRA IssuesOpen a JIRA "private security" issue.  It must be an issue, not just a change in "type".  Just changing the type doesn't help.
   2. Don't open pull requests; do a direct commit.  (David construct email on creating private repo for more extensive commit processes when needed).
   3. Cut the security releases including release notes.
   4. Community Notification
   5. After announcement, create JIRA's.
   6. Three possibilities: 
      1. No grace period - Everyone knows before people can patch + poeople  who follow many projects on bugtraq know right away
      2. 15 business day grace period - People watching bugtraq will be unhappy with what looks sloppy reporting + Lets adopters try to patch first
      3. short grace period  - People don't really have time to benifit.
   7. Public disclosure: bugtraq

...