we recently voted for a security policy which provides a process for handling new security issues we might discover.
Per this process we decided to make the security issue public once they have been fixed and released. However, before this process we fixed a lot of security issues without making them public: we need to decide how we want to handle them.
My opinion is that those security issues should be publicly disclosed now they have been fixed and released. However it’s a huge amount of work to properly create all the needed CVEs for each of them, to find the right impacted version etc.
So instead of doing that work at once, I propose the following rule:
Whenever a public issue needs to be linked to a fixed confidential issue, this confidential issue is made public with the appropriate CVE.
So, for example, if I need to close an issue as a duplicate of a confidential issue, I will create the link to the confidential issue, create the CVE for this confidential issue, and once the CVE is published make the issue public too. (or make it public first and then publish the CVE).