Should I open a bug report saying that e.g. some Arch package has certain vulnerability, mark the report as critical and wait for someone to set it as private? How do we deal with such sensitive information?
I've looked in the wiki, but neither https://wiki.archlinux.org/index.php/Arch_CVE_Monitoring_Team nor https://wiki.archlinux.org/index.php/CVE-2014 has any info on this.
