Many open source applications are packaged and distributed by numerous vendors and projects. This results in a number of different public announcements and analysis for each issue. How are open source security issues discovered and reported? Where do the fixes come from, who verifies the issues in question have been fixed? Which advisory is right, who should you listen to?