Currently the security contact needs to be manually updated when we change the security flag of an existing bug. This should be simplified with special handling of these two transitions:
- When the bug moves from security to public, you should be able to optionally unsubscribe the security team; on by default.
- When the bug moves from public to security, you should be able to optionally subscribe the security team; on by default. You should also be subscribed to the bug if you weren't subscribed to it before.
There's the question of whether the email interface should do this as well; I don't think it needs to, since it's easy to subscribe or unsubscribe users there. The self-subscription makes sense to avoid locking yourself out of a bug, but I'm option that that (kiko)
I think this probably makes sense.
There was discussion previously that sometimes some bugs would be so secret that only the security contacts for some of the affected software should be allowed to see it, but there's no evidence so far that Malone needs to handle that use case.