I had the privilege of making a presentation on "Securing Open Source" at the DHS SwA Forum at NIST. The forum was cosponsored by DHS, DOD and NIST.
The presentation is available here: Securing Open Source
Additionally, DHS has hosted the recording here:
Salient points proposed in the presentation:
a) Choose open source projects with at least one professional company with strong reputation, having stake in the project's success.
b) Choose platforms based on open source projects rather than picking and choosing arbitrary projects on the web.
c) Open Source projects need to work collaboratively with the entities (NIST/MITRE etc) who maintain public vulnerability databases.
d) OSS need to have an email address or an online contact form to report security vulnerabilities in a confidential manner. Remember, for JBoss projects, we have "firstname.lastname@example.org"