The intention is to allow projects to officially involve security experts to assist with vulnerability reports without granting them full committer rights, e.g., write permissions on the code repositories. This has been a recurring request from large, mature projects where the security response team can be quite separate from the development team. It also alleviates the burden of demonstrating previous contributions to the project to onboard security experts.
However, this is the exception rather than the default, where all committers are part of the security team. Any deviation from this norm (where the security team should only be a subset of the committers or include non-committers) is subject to a vote by the project committers and the PMC.
Indeed, good point. When the project security team is distinct from the project committers, its members can be retired by the Project Leads (PL) just as they can do for committers. What about adding a paragraph similar to the one for committers:
There are times when the Project Security Team may become inactive for various reasons. The security of the project relies on active members who respond to vulnerability reports in a timely manner. The Project Leads are responsible for ensuring the smooth operation of the project. A Project Security Team member who is disruptive, does not participate actively, or has been inactive for an extended period may have their commit status revoked by the unanimous consent of the Project Leads. Unless otherwise specified, "an extended period" is defined as "no activity for more than six months".
Would something like that help?
You can review the background and previous discussions that led to this request to update the EDP on the following help desk ticket: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/1709
Cheers,