1.5 years in the community seems like a reasonable threshold for a random person wanting to join the security team; however, if an established security expert joined the community and wanted to help, I don’t think I’d make her wait 1.5 years.
Is it common to have a mechanism for early notification of vulnerabilities? In the past, we considered making a
security-announcemailing list to broadcast early warnings to interested parties. I’m not sure if that’s necessary or best practice. Talk could probably suffice, but it would be good to have a more well-defined process for notifications (e.g., a post to which category, using what tags, etc.).