How can I report security vulnerabilities for open source OSX applications?

In the event of finding a security vulnerability in the Linux world, the procedure involved would be to report the vulnerability...

• ...to the developers or the maintainers of the package in a particular operating system.
• ...to the security team of that particular operating system.

Then patches are made and CVE's are released.

I'm curious about how does open source vulnerability reporting work in the OSX world? Do the developers release CVE's if a security issue is brought to their notice?

You can contact Apple about this at [email protected] (or you can open a Radar report if you're a developer), or you contact the maintainer of the package.
Often the mail addresses can be found in the README (or AUTHORS) of the source code, or on the project's website.

Yes - both Apple (specifically) and the open source developers (in general) do reference CVE in patch and security emails and participate using that mechanism for tracking reported vulnerabilities.

Apples official security posture is Apple Product Security.

But I would say that your best bet would be to submit vulnerabilities via the Apple Bug Reporter and their product-security email address . Additionally, if the part with the vulnerability is an open-source project, you should also notify the open source project as well.

The procedure for reporting security vulnerabilities varies but the place to report would be directly to the open source project. If the application is hosted in the app store then you could report directly to Apple.