and it's properly publicly communicated at the right time (preferably
when the issue is public -- when it is committed).
Should you consider this approach, is there anything I can help with to
make that happen?
Yes, I need someone to actually do this. There used to be a Red Hat
security team member that did this, or so I thought.