Not only is it all technically feasible, it wouldn't even be *that* much work to setup the initial proposal you described, and at least the automated simpletests for the core repo on cvs.sec.d.o.
Oh, wow! That was totally not the "ARE YOU ON *CRACK*??" response I was expecting. :) Ok, so. New and improved workflow! 1. Security hole found! OMG! 2. Head to security.drupal.org and login (same as d.o credentials) 3. Post an issue informing the security team about the bug (they're emailed automatically on new issues). This issue is private to only you and the security team members. 4. Work with the Security Team in the issue to come up with/test a patch that fixes the bug. 5. Once a consensus is reached, commit it to your module on cvs.security.drupal.org. Run through your normal testing procedures and make sure things look good. 6. Follow the Security Team's instructions on how to go about creating/announcing the release. Sound about right? Looks like, implementation-wise, we need: 1. Script to sync up non-security team, CVS account-holding d.o users and make them s.d.o users with only basic privileges (create issues/access own issues) 2. Script (or something) to sync CVS / CVS users between cvs.drupal.org and cvs.security.drupal.org. 3. Script to sync d.o projects / owners / maintainers with s.d.o projects / owners / maintainers. So.. lots of synching. But in the end, I think this actually *saves* the Security Team tons of time, both at the outset (the developer is the one who initiates the process) and also in ongoing education (the team is no longer a "black box" where the developer is waiting for information but instead feeding out useful information to developers as the reviewing process is happening). Huge +1 to the automated testing stuff too, but probably best to start simple first. :)
Any objections? Any volunteers?
I'm willing to work with you (or someone) to do this synching stuff. I don't think I have the time/knowledge to do it alone. -Angie