@todo As an security team member, I want to resolve a security issue

Steps: @todo these steps need vetting from someone(s) from the Drupal security team.

1. End user (Guest) submits a private report of a possible security incident.

• Only the original reporter and members of the security team can see this report.

1. Security team member performs triage to ensure validity of report, check for duplicates, etc.

• 1. If invalid, send scripted "thanks but no thanks" note that refers to other resources.
• 1. Report is closed.

1. If valid, security team member adds relevant maintainer(s) to the issue, who now have the ability to see the information in the report and participate in discussion.
2. Maintainer(s) go back and forth with security team members to arrive at a suitable solution.
3. The solution is tested against the affected project in a private security testbot.
4. If it passes, the solution back-ported to whatever other versions are affected.
5. A security announcement (SA) is drafted and reviewed by those involved in the issue.
6. On the next security window, the patches are applied and release is made.

• The release needs to be explicitly marked as "security release" so it shows up in the appropriate places (e.g. d.o/security, Update Status dashboard)

1. SA is published, points to releases.

Observations:

• ✅ X
• ❌ Y

Related issues:

• #1234: Blah