Mark is right; we've got several hundred projects and they all work differently. Some have lots of resources, handle lots of issues, and have mature and working processes for getting releases out. Others either handle security issues infrequently or are struggling for resources and we need to give them some help. The ASF security team provides and maintains the common required process all projects need to follow to handle their reported security issues, and we provide as much help and guidance as we can on how they can get through them. (the yearly report gives a good overview, here's the one for 2020: https://blogs.apache.org/foundation/entry/apache-software-foundation-security-report1 )
Those projects that struggle for resources need help from more than what a PSIRT-like team can provide; what they need are people in their project able to write and test code, able to do releases, people that really understand how the project is used and the community around it. I'd also like to see us have people work more closely with the various OpenSSF initiatives. OpenSSF have a number of interesting projects that are trying to understand and address problems that have come up with OSS many of which would benefit from people with security and specifically Apache projects experience. Regards, Mark J Cox ASF Security
