One of the things I think proprietary projects are wrong about is treating bugs, including security bugs, as secret private things. The best security solution we have is the number of eyes we allow to see the problems. I think emulating the paranoia is a mistake. Security-related bugs should go to the bug squashing system all bugs go to. Triage and fixes can then follow, and the more security-skilled coders can take it from there.
Just my .02¢
