Have mechanism for seeing privately reported security vulnterabilities

[BigLep]

Done Criteria

Maintainers get notified of privately reported security vulnerabilities and they're tracked by the working group.

Why Important

As we get on mainnet and declare ourselves GA we can expect more security vulnerabilities to be reported given we invited them in https://github.com/FilOzone/.github/blob/main/SECURITY.md. We need to make sure they don't fall through the cracks to build trust with reporters and not expose our users for an unnecessarily long time to vulnerabilities.

Notes

• Implementation ideas
  • Slack bot like we have with PRs. This is ultimately work that needs to make it onto our board though...
  • Bot that creates FOC board items (not issues) with a link to the security vulnerability that way we see it can action it. We could also create issues in a private repo for tracking these so anyone in the public looking at the board doesn't see them.
• I would want to make sure we get security vulnerabilities for the repos posted in https://github.com/FilOzone/.github/blob/main/SECURITY.md plus repos like filecoin-pin.

[BigLep]

Cc @rjan90 since I assume you'll probably get to this first from an implementation regard.
Cc @rvagg in case he has preferences here. (I assume you see all these vulnerability notifications yourself directly because you are on top of github notifications, but I'm hoping we have something that works independent of your notification monitoring strength)

[rvagg]

you are on top of github notifications

Yeah, but it could be delayed. A bot to a private security channel might be nice if we can pull it off. SECURITY.md is merged and we have private security reporting everywhere that matters, so now it'd just be a matter of figuring out how to wire up something that watches.