"Lack of disclosure isn't going to win many, if any, friends, especially when it comes to a hypervisor that's been riddled with vulnerabilities as of late. It just makes me wonder what they're trying to hide and for what reason."
You may wonder that, but the reality looks quite different. If you look at the facts (aka https://www.cvedetails.com/vendor/6276/XEN.html), you will find that the issues reported have been going down in the last two years (2014: 44, 2016: 28). This has happened in parallel with the project actively taking measures to find more bugs. Also, our security team is bigger in terms of members participating than at any time in the past.
If you look at Linux (https://www.cvedetails.com/vendor/33/Linux.html) and QEMU (https://www.cvedetails.com/vendor/7506/Qemu.html) the opposite is true. The big difference is the media attention that Xen Project vulnerabilities get compared to other projects: so yes, it looks as if we had more vulnerabilities than others, when in reality we are actually doing OK.
And it is not because we issue fewer CVE numbers or handle fewer issues. When you look at the data, you will also find that the average CVSS score of the issues we handled has reduced as well (the average score used to be around 5.1 - 5.4), but last year it was around 3.3.
"Transparency is not the enemy, especially not in an open source software project."
I do believe that we are one of the most transparent projects on how we handle security issues. This is why we made a public proposal to get feedback. Also, it is worth mentioning that there is a trade-off to transparency: every time we issue an XSA, which could be a vulnerability in some theoretical circumstances, but may not really be one, we are creating work for our down streams and users. We were criticised about this in the past, and this proposal is trying to address some of this alongside some other issues we have come across since we revised our policy last.
It is of course also good that El Reg is giving the proposal visibility. If you have an opinion, feel free to vote on the El Reg survey, but I did want to point out that a reply to our proposal on xen-devel at lists dot xenproject dot org is more helpful. You can also use the Reply button at https://firstname.lastname@example.org/msg96571.html (but make sure you CC xen-devel at lists dot xenproject dot org)