Should resolved security tasks be disclosed to the public? If so, when and who should modify the task's policy?