I'm not quite ready to blast Mr Vixie yet. The trouble with BIND is it is mission-critical for basically the entire internet, so disabling it or firewalling it while a fix is found just isn't an option. The only choice is to leave servers with a security hole running until the hole is patched.
Therefore, I don't see it as entirely unreasonable for a core group of people be able to discuss security holes in secret so that a patch can be made before an exploit reaches the wild. True, it's only a hope that the good guys discover the hole before the bad guys do, but it's the best we can do.
There is plenty of precedent for keeping security holes secret while a fix is made - Alan and Linus did it several times. What keeps people from complaining in the Linux kernel cases was that patches came out very quickly after bugs were discovered. If BIND wants to maintain the same reputation, the same will have to occur.
However, IMHO any secret mailing list should be strictly limited in scope to security bugs. Once a patch or workaround is available and has been successfully applied to critical root servers, the bug and patch *must* be promptly disclosed.
The one thing that does really concern me, however, is the "membership fee". The costs of running the facilities discussed in the system are negligible. By the sounds of it, only core developers and distributors will be on the list anyway. Why charge a membership fee and be suspected of running this as a for-profit exercise?
Incidentally, it is amusing to note who posted the notice to bugtraq. Mr De Raadt, for all his undoubted programming skills, isn't reknowned for being a subtle diplomat