rdmd will create temporary files in /tmp/.rdmd . A malicious user could pre-create such a directory and link target files elsewhere. A more appropriate location for temporary files would be under the user's home directory (e.g. $HOME/.rdmd). If the user's home directory is unwritable, then /tmp/.rdmd.[random] may be used.
Not assigned to me, however a patch which appends a string of random numbers to /tmp/.rdmd can be found at https://github.com/garslo/tools/commit/c19361441bf6546dfde2c450187c46856dd41965 with pull request https://github.com/D-Programming-Language/tools/pull/4
This was pulled and incorporated some time ago.
Given that I reported this issue nearly a year ago, this isn't the sort of response time that I was hoping for with either a security report or a "critical" bug report. For future reference, is there another avenue that I should use to report such issues for a more timely acknowledgement, or is this the sort of response time I should expect?
If an issue stops from getting work done, it's always a good idea to substantiate the reason in the bug report. Also, starting a discussion on the topic at http://forum.dlang.org is helpful. On the face of it this doesn't look like a showstopper. If the matter is absolutely essential, there are many possible workarounds, starting with changing rdmd.d and ending with simply using dmd instead of rdmd for critical work.