JonDouglas
commented
1 year ago Leaving a note here for future purposes:
We should work with GH Advisory DB / Security team to see how they can issue better notifications when an advisory is amended/edited. We should hook into that event to issue emails as well.
Mail blast to owners with vulnerabilities created since last mail blast.
This will require building an API query since last mail blast date and transforming result into added/removed/ranges_severity_changed etc.
Edit by @joelverhagen: an additional tweak on this proposal (great from @Tratcher!) is that we could introduce a verify/approve/correct workflow that gives the author 24 hours to act before we go live on NuGet.org. Example case where this would have helped: https://twitter.com/JamesNK/status/1600844999783903233 (GitHub Advisory DB switched a patched version from 13.0.1 to 13.0.2 for a short period, causing noise).