LCA: Bruce Schneier on the two sides of security

If you are going to delay disclosure of vulnerabilities, then you need to make sure you aren't
leaking information about those vulnerabilities before that date.

If the project uses CVS or Subversion, then there is no reason that the bad guys wouldn't be
watching the commits.  The contents of the commits may be enough for such a person to deduce
the vulnerability and be able to exploit it in the window the developers have provided (in
addition to the time it takes for people to patch their systems).

So you really want to delay exposure of the commits to the same point where you expose the
vulnerabilities.  With a public CVS/Subversion server, that probably means not committing the
work until that point which is not particularly helpful if you have multiple vulnerabilities
to track.

If you really do want to batch up the security vulnerabilities, perhaps one of the distributed
VCS systems would be appropriate.  The ability to perform disconnected development also means
that it is possible to keep a line of development private but disclose it at a later date with
full history, which is what is wanted here.