Handling security patches has been an issue so far: our solution involves posting them to Launchpad and tracking new patchsets and approvals a bit manually, then pray for the stuff to be mergeable and tests to pass when we open the bug at the end. This resulted in unnecessary pain and delays.
We should use a private Gerrit instance that would be stripped of all of the potential leak areas (like the gitweb thing). We would track patch versions and approvals there, bringing people in as necessary. Tests would be triggered from there to give us reasonable confidence that the patch is good. Once approved we would push them to stakeholders, and once the embargo is over we would use some magic to copy the patch and approvals over to the public Gerrit, where the patch would enter the normal gate workflow.
This bug replaces bug 902052, which was about adding private reviews to the same Gerrit instance that is used for everything else.