The reason I say this is that recently I was made aware of a security flaw in one of my free plugins. I patched and updated on Moodle.org as quickly as possible. I wondered if I should post about it in one of the forum threads dedicated to it, but for the most part the users subscribed to those would be updaters, and I would risk alerting less good people to a flaw they might exploit. I am still not sure what the best course of action is to be honest.
Ideally I would have access to a list of subscribed users to which I could send a direct message (email or message). Is there a best practice here, or some way we can implement a notification feature. After all Moodle alerts registered Moodle site admins of security issues in Moodle in advance of any public release of such information, so it seems like plugins should be no different in this respect.