Red Hat historically has had the best record of all the Linux companies in finding and fixing Linux and open-source security bugs. Here's how the Raleigh, NC-based company does it.
First, Red Hat Product Security is in charge of both finding and fixing security holes. It doesn't do this alone. The team works with other Linux and open-source companies and developers. Security in the Linux world isn't done in secret, but with the full cooperation of all involved programmers.