[scovetta]

I love this, yes.

Root cause analysis ("How did this thing happen in the first place, does it exist anywhere else, and how can we prevent it from happening again?") should be a core part of our work in Alpha-Omega, and we should include this information in our publications.

To the larger point -- the idea of "open sourcing the process for finding vulnerabilities in open source" captures a lot of the work already being done in OpenSSF, but there's a lot more we can do. (If you're interested in helping us with this, we'd love to have you!)