“It’s handled very different between open-source projects,” said Vincent Berg, researcher at security firm IOActive. “There are projects that have a very active approach to it. The big Linux distributions and the different BSD flavors tend to do a pretty good job.” The Ruby on Rails Web application software project also recently moved quickly to make needed updates for security purposes, Berg said.
He says his impression is that better handling of security issues in open source seems to come from those that provide users with mailing lists about security which users are advised to subscribe to, and “most of these distributions have dedicated security contacts.”