[tatersolid]

Clearly we need some form of industry-standard notification mechanism, akin to security.txt for notifications.

Perhaps a well-formatted RSS feed at example.com/.well-known/security.rss ?

Email just doesn’t work in 2020 for anything mission-critical.

[g_p]

Yes, that would probably work. This would then need to tie in with versioning support on the client side, so that people can "listen" for particular versions of dependencies.

As a user it would also need to support team or shared accounts, so that a whole team can get alerted to any issues in components of their stack.

Then need to get everyone to support yet another standard(!), and companies need to hunt through their existing stack and identify all the critical components - I imagine lots of people will forget their dependency on things like OpenSSL/OpenSSH and ensuring they track bulletins for their relevant version.