All what I have tried to explain that it does not mean that exploit information has to be exposed.
This is what actually happens already: Security team receives a security report, does deep analysis of the potential problem, and if the report turns out to be valid, the security team aids the corresponding module maintainer to fix the vulnerability. The exploit information is made public when a fix for all users is available.
"Analysis and risk rating ensure the quality of the disclosed information. The analysis must include enough details to allow a concerned user of the software to assess his individual risk or take immediate action to protect his assets."
This, too, is what happens: All subscribers of the security announcements newsletter receive a mail for each and every fixed vulnerability throughout Drupal core AND contributed modules.
If Drupal security team made a decision to follow another path, its okay. But you should not judge another people in this matter so quick. Anyway, I have tried to be polite but since I have receive such a suspicious in bad intentions and arrogant perception here (at least that is what I feel now), I think I will standout for now in my true intentions to help and let you enjoy status of "overworked and understaffed" security team.
Alex
Look, I do not belong to the security team either (albeit I considered to join for helping out already). However, I /feel/ very safe knowing that we have top-notch contributors in this team, doing an excellent job on reviewing and solving all security issues. To be honest, I would not like to see an arbitrary "Web Developer" (ex. "Drupal Developer") there either. As a regular Drupal contributor and user, I know the contributions of /each/ security team member, which makes me believe that they are experts in all Drupal areas - and friends I can trust. I would recommend you to contribute more to Drupal, get some kudos for your valuable contributions, and then ask again. Thanks, Daniel