In my daily Open Source work, I find that when someone reports a suspected security problem, assessing the possibility, risk and impact of the issue can take a significant effort and time.
Is it a security problem? If it is a security problem, what is the impact, the severity and how should it be fixed?
Security problems should be addressed as quickly as possible to reduce the risk of harm to existing users out there that run the vulnerable versions. It is also important that the knowledge of a security problem and the work on the fix are done behind closed doors. When the fix is written, reviewed, tested and verified you can announce the vulnerability and the associated fix to the world. The idea of course being to minimize the impact for vulnerable users and give them a change to upgrade to a fixed version once the bad guys out there also get told about the flaw and therefore can start to exploit it.