Hello,

2017-04-18 21:36 GMT+02:00 David Eisenstein <deisenstein@att.net>:

Digging around, I am not seeing much presence for security? The
mailling-list archive shows no activity on the
security-team@lists.fedoraproject.org mailing list at all since last
October? And no team meetings?

Sounds about right; security-relevant discussions, if any, happen on the global fedora-devel list, but there is not an all-encompassing Fedora security group with regular meetings to my knowledge.

Just who/how are security vulnerabilities handled in Fedora now?

By the individual package maintainers; I think this was always their primary responsibility. Red Hat’s security team may Fedora bugs for vulnerabilities they are tracking (this is certainly happening for some packages), I don’t know whether there is any formal commitment, and I would not expect this tracking to be done for the whole universe of Fedora packagers.

Either way, developing and publishing the fix is the responsibility of the individual package maintainers.

Mirek