vendor-sec is a limited-access mailing list run out of the LST project in Germany (see  ).
Membership is kept low to avoid security leaks. Security notices are embargoed -- there is a set time before any information about the contents of the message can be shared outside of the list membership to give vendors time to prepare patched versions of their packages.
According to Alan Cox (see  ),
vendor-sec membership is decided by vendor-sec not Red Hat. It has to trade the fact the more people know the more it leaks versus the desire to get stuff fixed. Currently membership is decided by a process of rmwaving and consensus with existing members (which include SuSE, Debian, Openwall, FreeBSD etc) vendor-sec has to make that decision, Red Hat cannot do so.