Users who find bugs are encouraged to report them to the Whonix issue tracker.
Once notified issues are reproduced and confirmed, developers discuss the problem in order to find a suitable solution or workaround. All Whonix source code fixes and related matters are implemented as quickly as possible and the finding is posted for the public benefit.
Users are kindly asked to privately report security bugs. Whonix developer Patrick Schleizer should be contacted via OpenPGP encrypted mail before the information is published. This allows the vulnerability to be patched without the Whonix user population being endangered and the notifier can be credited with the finding(s) after the next Whonix release.
Whonix Package Upgrade Policy
Prior to Whonix 14, tickets that were resolved on the Whonix issue tracker were not automatically pushed to the stable (or even developer) version of Whonix. This meant stable package upgrades were rare -- unless critical security security vulnerabilities were discovered -- thereby entirely avoiding the risk of destabilizing the Whonix platform and necessitating manual user fixes. Fixes noted on the issue tracker generally only became available to all users after the next stable version release.
Whonix 14 and later releases have transitioned to a rolling distribution, meaning far more frequent updates will filter through to the stable, stable-proposed-updates, testers and developers repositories. Advanced users who do not wish to wait for package updates can of course manually apply fixes to the relevant package(s) before that time. 
Phabricator issue tracker labels can be interpreted as follows:
- Reviewed: "Completed in the latest source code version of Whonix" (but not released). Further testing is required in the next Whonix developers-only or testers-only release.
- Resolved: "Completed in the development version of Whonix".
- There is no specific label to indicate status in the stable Whonix release.
- For example, the Whonix AppArmor profiles package is a prime candidate for manual fixes, as it frequently breaks functional Tor Browser use when later browser versions are released.
This is a wiki. Want to improve this page? Help is welcome and volunteer contributions are happily considered! See Conditions for Contributions to Whonix, then Edit! IP addresses are scrubbed, but editing over Tor is recommended. Edits are held for moderation.