> > This is one of the stickier points that we have to work out for > > external-to-RH maintainership and errata; how to handle embargoed > > security notices. > > How does debian get vendorsec access? They have a small team of trusted people who agree to follow the disclosure rules. In general vendor-sec also works directly with the package maintainer.