Opinions differ on the best way to disclose security vulnerabilities, but there is a general consensus in our community that vulnerabilities should, indeed, be made public at some point. What happens between the discovery of a vulnerability and its disclosure can be more controversial. A recent discussion on the handling of kernel vulnerabilities has led to change in the policies of the linux-distros mailing list — all based on the question of what constitutes "disclosure".