One observation about this discussion: Until there is actually a way to make a binary deliverable from AOOo, any inbound security alerts would probably need to be referred to LibreOffice anyway. While the Apache-only list that's being speculatively designed here might be applicable once the project is creating deliverables, but until then a pragmatic approach of a temporary and inclusive list seems hugely preferable.
S.
