As a package maintainer, I always check the dev list, to make sure there are no security packages coming out.
One thing that might be useful is to have a dedicated resource within security to monitor general security alert info that points out very critical high threat vulnerabilities. The security community would have the authority to push the maintainer (me) to push out a code fix faster than I might otherwise have done so. I'm not sure how the governing logistics would work, but is the idea sound, or redundant? -Brian
