Once the TYPO3 Security Team receives a notification of an incident, one or more members review it and considers its impact. If TYPO3 turns out to be actually vulnerable, we work on a fix for the problem. Extension authors are contacted as well, if needed. Finally, the fix is tested, packaged and released. After all of that is done, an advisory is published.
Since all this takes some time, please allow some time for an answer! Please refrain from making anything public before a fix is released - a published vulnerability without a fix is even more severe!
Our Security Policy
We decided to follow a policy of least disclosure, and we didn't just make it up, it's used by a lot of projects around the world.
That is the reason why we ask everyone to get in touch with the TYPO3 Security Team first whenever a security issue has been found.
There also exists an security mailing list, used to discuss potential issues ,future improvements, etc. That list is internal and only open for TYPO3 Security Team members, personally known to us (we have met all of these people). They are not just reading, they are actively helping us in sorting stuff out, discussing the best solutions, etc.