Over in https://github.com/ros-infrastructure/rep/pull/262 , we’ve been putting together a security vulnerability disclosure policy for ROS 2 Common Packages. This policy is meant as a statement from the developers of ROS (and its packages) to the wider world on how to report vulnerabilities, what to expect when reporting a vulnerability, etc. It was kindly put together by the ROS 2 Security Working Group. If you have any additional thoughts or opinions on this topic, please leave them on the pull request linked above.
For those interested in this topic and to bring some further attention to what’s a in projects and organizations, I wrote a piece last week that dives a bit deeper into thet topic of vulnerbility disclosure in robotics https://cybersecurityrobotics.net/vulnerability-coordination-and-disclosure-in-robotics/