This is not the case for security-related issues. We have the Security Patch Policy and Procedure where the PRs do not get published publicly until the fix is deployed. And if you search the forum for Security Patch Policy and Procedure, you’ll find a few examples where that already happened.
In the next few months I don’t expect we’ll be able to work on that due because of all the other things we’re working on. Quite a few people at DFINITY would love to start such an effort though and I certainly think that we’d be able to get there. However it would probably be quite a bit more expensive than running canisters on today’s subnet sizes 
1 Like