Security and GNU
Reporting security issues
To report a security bug against a given package, please follow the bug-reporting guidelines for the package. If there are no security-specific instructions, just follow the general bug reporting instructions. If you don't think your report should be public, email the maintainers individually. (The package web pages and/or Free Software Directory entry should provide contact information.)
If you've reported an urgent security bug and there hasn't been any response in an appropriate amount of time, you can escalate to the general security mailing list for advice. You can also write there for help if you cannot find maintainer contact information. If you don't get an answer there either, as a last-ditch effort you can try <email@example.com>.
General security discussions
To discuss general security topics and questions (not report bugs), you can use the security-discuss mailing list. Its purpose is to provide a place to discuss security matters that are applicable to more than one project. For example, general secure programming techniques, cryptography, and network protocol issues.