BTW, an important feature of these mailing lists is that anyone can post… but only the “vendor security” group can read the posts.
Thus, it is easy for an outsider with a real security issue to provide detailed information to vendor-sec@myopensourceproject.org, while preventing unscrupulous people from reading the sensitive information.
I suppose a PM to