Some changes to Shibboleth Project security advisory procedures
After the last advisory, there was some discussion by the project team about making some adjustments to our handling of issues, and I wanted to formally announce a couple of them.
The first is that we will be following the lead of a number of open source projects in publically disclosing the existing of security issues and the expected timing of security patch releases ahead of time, without providing specifics other than the timing and the severity. So everybody will have some idea that a patch is coming and when (to the best of our ability to predict it).
The second change, which is more of a Consortium decision, is to do with the "alert" mailing list that we've maintained for a long time, which started life as a way to provide early warning on the specifics of issues to the academic federations that are obviously the main users of, and funding for, the project. The alert list is confidential and receives specifics on upcoming advisories in advance.
While we're not planning to make any immediate changes to existing subscribers, we are going to institute a policy as of now that any Consortium Members have the right to get on that list. We believe that's only fair given their funding of the project.
If you're a member organization and don't believe you have anybody subscribed to that list, just contact me or the [hidden email] address, and we'll get somebody added. I will follow up in a few cases myself.
Of course, if you want that information, you should consider joining the Consortium. 
RE: Some changes to Shibboleth Project security advisory procedures
Before more people ask, no, being members of InCommon (or any federation that is itself a Consortium member) does *not* mean you're going to get access to the alert list, this is for Consortium members explicitly because they are the ones keeping the project going.