Open source means that commits are publicly visible, patches are shared upstream and discussion is via public forums. This is antithetical to the needs of embargoed security flaws, where opacity and secrecy is key prior to releasing a patch. Handling patches in a secure fashion using the open source model is a balancing act between openness and confidentiality. This talk will explain how it is done, covering the handling of embargoed flaws, private communication channels used by open source developers, committing patches upstream and communicating with users. The result is significantly greater transparency around released patches, with full source code and documentation available, as opposed to patches for proprietary software which are often limited to a mysterious updated binary, a CVSS score and a vague description. Video with hand puppets outlining the talk: http://www.youtube.com/watch?v=EXMsJ-ypf0M