There is an easy way to avoid all the trust issues with regards to shared mailing lists. Don't have such a list. Trust individuals. This proposal takes this approach.
1) The AOOo PMC solicits the names of security contacts from related projects who wish to be consulted related to pre-disclosure coordination related to analysis and resolution of reported security vulnerabilities. Names of individuals are preferred over opaque mailing lists. Trust can be established based on a PGP/GPG web of trust. These names and addresses are stored confidentially in the PPMC's private SVN directory. 2) The AOOo security team reaches out to these contacts, as appropriate,v ia their preferred contact mechanism, to coordinate on specific vulnerabilities. We (Apache) would cc ooo-security on our external emails, as required by Apache policy [1]. 3) Other groups would be encouraged to reach out to AOOo in similar circumstances via our preferred contact mechanism, ooo-security. 4) This fully allows targeted collaboration on specific issues, via each project's preferred contact mechanism, without requiring the maintenance of an additional email list. 5) If we want to discuss security in general, then that can/should happen on public dev lists. That public discussion could occur anywhere. [1]: http://www.apache.org/security/committers.html
