Kai is ranting about Firefox - IDN - 0 Info - 0 Transparency - and he's right with his rant. You're used to this security secrecy from commercial providers, but with open-source projects it annoys me every single time as well. When will people finally understand that only early disclosure gives users a chance to protect themselves? Keeping bugs secret is based on the absurd assumption that you're the first to notice this bug. Which is simply silly: a blackhat who notices this bug will certainly not broadcast it but instead exploit this bug for as long as possible. And so only those benefit from keeping it secret for too long - the ones we shouldn't be helping anyway.
User security needs to be the focus of security considerations - and specifically the informed user who is capable of turning information into meaningful action. The uninformed user doesn't care anyway, they click on everything. But a sysadmin who knows about a problem can at least contribute through educating their own users so that they maybe act more cautiously for a certain period of time. An uninformed sysadmin doesn't even have a trace of a chance to do that.