In case of state audits:
The auditors' contact for OLE, KFS and Rice security patches at this point would be institutional representative(s) on the security.alert@kuali.org list. They should have access to the JIRAs to provide more details. If they don't, contact the Project Manager. Or, if your security reps have questions they can't answer based on the JIRAs, they can contact the Project Manager. The tricky thing here is that unless / until you are in the cloud, there is no vendor. It seems like auditors expect / want the institution's relationship with Kuali to be vendor-customer like. The Kuali security policy does not include provision of this type of support for individual institutions / audits / policies, etc.
See also: Security from the Kuali Foundation.