In practice I see one improvment that we should made for this to happen: right now the security issues are created in JIRA and marked as confidential and only few people can read them. It would make sense that the lead of a project could always see the confidential issue of her own contrib project, even if she doesn’t have the right to see all confidential issue.
I assumed that yes, here the proposal is more to emphasize about the need to comply to the same security policy by mentioning it in contrib.xwiki.org. In the future we can imagine amending this policy specifically for contrib: for example if we consider that the embargo delay should be different from XWiki Standard.
Sure I didn’t mean to mention that in the policy, just to check it since it’s a technicality that might prevent complying to the policy.