Security bugs are fixed and backported in severity order and bundled and released for all products on a quarterly basis. One CPU may contain, for example, 168 patches (for differing products, versions and operating systems) It’s clear we have to have excellent processes to be able to track all the issues we are fixing. We enforce “need to know” on security bugs so that only those who need to see the bug in order to fix it get access to bug details. We have well-established processes to report, fix, track and test release patches.”]
Source: https://www.csoonline.com/article/2118609/tracking-bugs.html