Does a project’s security team need to be solely PMC? Or can ambitious committers be permitted to subscribe to a security@ list and help with the work?
I guess the underlying question is “what is the expectation around embargo on non-public/0-day security vulnerabilities” for ASF projects? Thoughts? Mike
