Note that informing the user is not sufficient for an Apache project. If the project cannot respond effectively to security reports, it must retire.

This is part of the ongoing discussion on the dev lists. The OP quotes Dennis, the OpenOffice Chair to this effect.