1. If the bug is impractical for an attacker to successfully exploit, we should work on this in public.
2. If the solutions to the bug are not safely backportable to maintained stable branches, we should work on this in public.
3. If solutions to the bug are very likely to take longer than three months (our maximum embargo duration) to implement and/or would be very hard to develop in secret, we should work on this in public.
Thanks Brian. The other things to consider are:
1. If the bug is impractical for an attacker to successfully exploit, we should work on this in public.
2. If the solutions to the bug are not safely backportable to maintained stable branches, we should work on this in public.
3. If solutions to the bug are very likely to take longer than three months (our maximum embargo duration) to implement and/or would be very hard to develop in secret, we should work on this in public.