Within the OpenJDK project there is group named the OpenJDK Vulnerability Group, which receives and discusses reports about security vulnerabilities in OpenJDK, and which implements and tests fixes for vulnerabilities, and coordinates the release plan for such fixes.
Unlike all other activities in OpenJDK which are public (mailing lists and archives are accessible here), the Vulnerability Group works behind closed doors.
Security vulnerabilities are only disclosed at the time that an OpenJDK update, which fixes those vulnerabilities, is publicly released. On foojay, for each release and update, the list of vulnerabilities are listed, as shown below, click here for details.
The Vulnerability Group has about 20 members.