I’ve posted a pre-RFC at [pre-RFC] Security advisories as part of crates.io metadata, please continue discussion there.