You don't need to be disingenuous; you were around when the discussion regarding the kernel developers' official policy of silently fixing vulnerabilities was discussed. You are well aware of their policy and Linus' reasons for it.
Yes. Because the only place I consider appropriate is the kernel
changelogs, and since those get published with the sources, there is no
way I can convince myself that it's a good idea to say "Hey script
kiddies, try this" unless it's already very public indeed. http://thread.gmane.org/gmane.linux.kernel/701694/focus=7...