Bug#129604: general: Social Contract: We Do Hide Problems
Can't we satisfy not disclosing the vulnerability and letting
our users know by doing something like this:
Debian has been informed of a [<<type>>] vulnerability in
<<package>> [by <<someone>>]. We are preparing an updated
package, which will be available from security.debian.org
along with a DSA [on <<date>>].
To the best of our knowledge, this is not being exploited
in the wild. However, you are cautioned to take reasonable
precautions, such as not using <<package>> if not needed.
This way, we don't release the details to the bad guy. We do
alert our users to be on the lookout.
And we're certainly not hiding our problems, by any stretch of the word.