We decided to follow a policy of least disclosure, and we didn't just make it up, it's used by a lot of projects around the world.
That is the reason why we ask everyone to get in touch with the TYPO3 Security Team first whenever a security issue has been found.
There also exists an security mailing list, used to discuss potential issues ,future improvements, etc. That list is internal and only open for TYPO3 Security Team members, personally known to us (we have met all of these people). They are not just reading, they are actively helping us in sorting stuff out, discussing the best solutions, etc.