I'm wondering what we consider a "security review" for the purposes of this collection: * A third party security audit of an open source codebase by a security firm? (Assuming yes) * A technical advisory on a vulnerability in an open source project that has undergone a coordinated disclosure? (Assuming no) * Some kind of "security review" written by the maintainers of an open source project itself? (Assuming no??) * Threat models or other documents that fall short of finding specific issues for which proof-of-concept exploits can be demonstrated? (Assuming no) * A compliance or other non-technical or semi-technical review of an open source project? (Probably not?) * Results from static analysis tools, fuzzers, etc? (Probably not but is there anywhere that collects these?)