Almost all of Linux’s development work is conducted in the open. Almost. One of the few exceptions is when companies or hackers reveal unpatched security holes to Linux developers. In those cases, these issues are first revealed in the closed linux-distro list. Now, Microsoft, which is — believe it or not — rolling its own Linux distributions, has asked to join this restricted security list.
This list, linux-distros, includes developers from FreeBSD, NetBSD, and most of the major Linux distributors. This includes Canonical, Debian, Red Hat, SUSE, and cloud Linux vendors such as Amazon Web Services (AWS) and Oracle.
This list’s purpose is to “report and discuss security issues that are not yet public (but that are to be made public very soon)”. How soon? The list’s maintainers ask that security holes be kept private for no more than 14 days after being revealed to the group. For example, Intel’s CPU Meltdown and Spectre security bugs would not have been discussed on linux-distros. Security issues that are already publicly discussed are handled in the OSS-Security mailing list.