...
Named security contacts per project (at least two)
Security issue reporting process defined in SECURITY.md with reference to Hyperledger reporting process
Security issue disclosure process - see Disclosure task force
Leverage automated scans
linters
Software Composition Analysis dependency scans, e.g. Dependabot, Govulncheck (depends on language)
Static Application Security Testing (SAST) aka static analysis scans, e.g. CodeQL, Snyk
Keep dependencies up to date (, e.g. Dependabot)
Security audits for Graduated project major releases
Review and obtain OpenSSF Best Practices Badge - criteria
Security Artifact Signing - proposed task force
...