Sort:  

@develcuy - If my memory is correct, the CVEs were lurking for many years. That means, the existing structure had short comings and unless they have revised and improved the process, there definitely is a short coming in the organization and it needs to evolve. Now the same has happened with OpenSSL too but then the community was out numbered and not as active as Drupal or any of the other vibrant communities.

I can take the example of a Free Software project I am involved with for last 17 years - we went dormant and now we are very active for last 11 years. We have hosted GSoc, contributed to Unicode etc. We could never fix certain short comings in the Unicode definition even though it was against the basic rules of "Indic Languages". Personally I feel this is a short coming and we need to become more influential (like Google and Microsoft's influence in Unicode committees) and as we speak we are trying get government involved to correct the errors. We are doing PR, we have some of the most downloaded Android Apps etc - this will increase the visibility will eventually help to correct mistakes. So communities must evolve and get better.

btw, followup on the original action items is here : https://hackmd.io/s/ByT1BuG5m

There are few people helping out and suggestions/critics/assistance in the true community fashion is much needed.

Security bugs have nothing to do with the Drupal Association (DA), there is an specialized team on charge of security AND the head of all Drupal development is Dries, he has a long and very well structured list of core committers, with clear duties, reporting straight to him, although everyone belongs to different companies or are self-employed. That is normal practice in community backed Open Source projects btw. Contrary to that, in STEEM we have a team of guys from the company, on charge of releasing the code, along a band of 20 guys with no clear structure and duties. What do one is supposed to expect from that? Or better said: