The Asterisk Issue Tracker is a public site, and all bug reports against Asterisk can be viewed openly by the public. While this results in a transparent, open process - which is good - reporting a security vulnerability on the issue tracker without properly selecting the "Security" issue type makes the entire Asterisk user community vulnerable.
The "Security" issue type will automatically lock down the issue so it can only be viewed by the reporter and bug marshals. If you have any difficulties with that we'll help; please follow the instructions here and e-mail the team at firstname.lastname@example.org.
The Gerrit Code Review tool is a public site and security fixes should not be placed up on it by a reporter. Patches should be attached to the security issue instead.
Reporting a Security Vulnerability