I propose to make a small amendment to our current security policy: right now we always keep at least a 3 months embargo for our security issues, or more when we feel the need. I propose that we authorize to publish immediately after the release a security issue when the issue doesn’t concern a LTS version, and it’s related to the current cycle. So for example if I have a security issue that only concerns 13.4 and has been fixed in 13.5 I could published it immediately.
The main argument for it, is that people who are using those stable versions are generally more keen to upgrade regularly so we should inform them right away when we discover a security issue, and I don’t think sponsoring companies are using those stable versions. So we avoid having people to use a version of XWiki with a hole for several months when we can.