Python's documentation should make it clear at the most important entry points that the appropriate place to report possible security issues is security@python.org, not the tracker.  In particular, the tracker's top page (the one you get from http://bugs.python.org/) should make that clear.
See the News/Security Advisories on Python's main pages and Brian Curtin's 2011-04-14 post for reasonable descriptions of the de facto policy.

The Tracker documentation probably should be updated with this as well.

It might be a good idea to have a way for triagers to suppress display of security issues by classifying them as security (eg, via priority, keyword, or possibly even resolution).

Xref thread starting at http://mail.python.org/pipermail/python-dev/2011-April/110722.html.