To separate topics from #4, I'm opening this.

It might be interesting to have an audit to find vulnerabilities. For example, Express did this a long time ago (https://expressjs.com/2024/10/22/security-audit-milestone-achievement.html
). In Express's case, it was done through https://ostif.org/
and funded by Sovereign Tech Agency. We could try to achieve the same.

Now that we have a triage team, this seems like a good idea