'open source with a few secret bits'
No. It means that the fixed code is made public only when the fixed builds are made available too. Nothing secret, but the brief window required to not expose users to zero day vulnerabilities.
Disclosing vulnerabilities before would be irresponsible - would you like it in the Linux kernel or other critical code?