by lukegb » June 9th, 2012, 10:54 am
I'd like to point out that we make the tickets semi-public under dl.bukkit.org when the ticket is mentioned in a commit, so the ticket description will become available at the same time as the fix.
Yes, it is reasonable to suppress information for some time. I point to the cases of Mozilla, and Chrome, as well as most other open source projects, who both undertake this for security-sensitive tickets.
Mozilla's policy states this:
"As noted above, information about security bugs can be held confidential for some period of time; there is no pre-determined limit on how long that time period might be. However this is offset by the fact that the person reporting a bug has visibility into the activities (if any) being taken to address the bug, and has the power to open the bug report for public scrutiny."
