📝 improve docs around the sec team and processes

Author: ctcpip

Contributing.md

@@ -1,39 +1,47 @@
 # Contributing
 
-We are open to, and grateful for, any contributions made by the community. By participating in this project, you agree to abide by [Express.js Code of Conduct](https://github.com/expressjs/express/blob/master/Code-Of-Conduct.md).
+We are open to, and grateful for, any contributions made by the community. By participating in this project, you agree to abide by the [Express.js Code of Conduct](https://github.com/expressjs/express/blob/master/Code-Of-Conduct.md).
 
 ## How to Contribute
 
 The Security Working Group is open to anyone who is interested in security and wants to contribute to the security of the Express.js ecosystem. You don't need to be a security expert to join the group, but you need to be passionate about security and willing to learn and contribute. We encourage you to join the group and contribute in the following ways:
-- Participate in the meetings
-- Participate in the offline discussions
-- Contribute to the [GitHub issues](https://github.com/expressjs/security-wg/issues)
-- Provide feedback on the security policies and procedures
-- Contribute to the security guidelines and recommendations
+
+- Participate in meetings
+- Participate in offline discussions
+- Contribute to [GitHub issues](https://github.com/expressjs/security-wg/issues)
+- Provide feedback on security policies and procedures
+- Contribute to security guidelines and recommendations
 
 The group is composed by two groups of members: the Security Triage Team and the Regular members. The regular members are responsible for the public facing activity of the group, while the Security Triage Team is responsible for the security triage process.
 
 ## How to join the Security Working Group?
 
 To join the Security Working Group, you need to:
+
 - Join the [OpenJS Foundation Slack](https://openjsf.org/collaboration)
 - Join the channel `#express` in the [OpenJS Foundation Slack](https://openjsf.org/collaboration)
 - Contribute to the group activities
-- Discuss with the existing members about your interest in joining the Security Triage Team, so they can evaluate your participation and invite you to join the team.
-
+- Discuss with the existing members about your interest in joining the Security Working Group, so they can evaluate your participation and invite you to join the team.
 
 ## How to join the Security Triage Team?
 
-By default, all the Technical Committee (TC) members, and repo captains are part of the Security Triage Team. Also, the Security Triage Team can invite other members to join the team based on their participation and contributions to the group activities.
+By default, all the Technical Committee (TC) members are part of the Security Triage Team.
 
-It is expected that the Security Triage Team members have a good understanding of the Express ecosystem and the security practices, and are willing to contribute to the security of the Express ecosystem in a long term.
+It is expected that the Security Triage Team members have a good understanding of the Express ecosystem, security practices, and are willing to contribute to the security of the Express ecosystem in the long-term.
 
-This group is responsible for the security triage process, and the members of this group are expected to be available to support the TC team on security triage when is requested. The Security Triage Team is responsible for managing incoming security reports, and responsible also to help developing patches or security releases.
+This group is responsible for the security triage process, and the members of this group are expected to be available to support the TC on security triage when requested. The Security Triage Team is responsible for managing incoming security reports, to prepare security patches/releases, and to coordinate vulnerability disclosures.
+
+The Security Triage Team may invite other members to join the team based on their participation and contributions to group activities.
+
+> [!IMPORTANT]  
+> Due to the sensitive nature of the role, new members nominated to the Security Triage Team must be approved by consensus of the TC.
 
 ### Onboarding process
 
 A TC member will help you to get started with the onboarding process. The onboarding process includes:
+
 - Provide guidance to the group activities
 - Introduction to the security triage private channel in Slack `#express-security-triage`
+- Membership in the GitHub team
 - Access to the security triage private repository
-- Access to the reporting tools
+- Access to the reporting tools

README.md

@@ -2,7 +2,9 @@
 
 ## Charter
 
-The Security Working Group manages all aspects and processes linked to the Express Project's security, and is responsible for managing incoming security reports, and responsible also to prepare patches or releases. The nature of this task is sensitive, so only the Security triage team, Repo Captains and TC members will be involved in it.
+The Security Working Group manages all aspects and processes linked to the Express Project's security.
+
+The Security Triage Team is responsible for managing incoming security reports, to prepare security patches/releases, and to coordinate vulnerability disclosures. The nature of this task is sensitive, so only the Security Triage Team, TC members, and (impacted) Repo Captains are involved in the process.
 
 ### Responsibilities
 
@@ -18,21 +20,17 @@ The Security Working Group manages all aspects and processes linked to the Expre
 
 ## Current Initiatives
 
-We are currently defining the Initiatives for 2024, [feel free to participate](https://github.com/expressjs/security-wg/issues/1).
-
 | Initiative | Champion | Status | Links |
 |------------|----------|--------|-------|
 | OSSF Scorecard | [@inigomarquinez](https://github.com/inigomarquinez) | In progress | [#2](https://github.com/expressjs/security-wg/issues/2)|
 | Threat Model | _TBC_ | In progress | [#3](https://github.com/expressjs/security-wg/issues/3) |
-| Support OSTIF Audit | [@UlisesGascon](https://github.com/ulisesgascon) | In progress | [#6](https://github.com/expressjs/security-wg/issues/6)
 
 ## Members
 
 The Security Working Group is composed of two groups of members: the Security Triage Team and the Regular members. The regular members are responsible for the public facing activity of the group, while the Security Triage Team is responsible for the security triage process.
 
 ### Security Triage Team
 
-- [Adam Ruddermann](https://github.com/ruddermann)
 - [Carlos Serrano](https://github.com/carpasse)
 - [Chris de Almeida](https://github.com/ctcpip)
 - [Íñigo Marquínez Prado](https://github.com/inigomarquinez)
@@ -44,23 +42,26 @@ The Security Working Group is composed of two groups of members: the Security Tr
 - [Wes Todd](https://github.com/wesleytodd)
 
 ### Team Members
-- [Adam Ruddermann](https://github.com/ruddermann)
+
 - [Carlos Serrano](https://github.com/carpasse)
 - [Chris de Almeida](https://github.com/ctcpip)
 - [Íñigo Marquínez Prado](https://github.com/inigomarquinez)
 - [Jean Burellier](https://github.com/sheplu)
+- [Jon Church](https://github.com/jonchurch)
 - [Marco Ippolito](https://github.com/marco-ippolito)
 - [Rafael Gonzaga](https://github.com/RafaelGSS)
 - [Ulises Gascón](https://github.com/UlisesGascon)
 - [Wes Todd](https://github.com/wesleytodd)
 
 ## Meetings
 
-The Security Working Group meets every two weeks. Meetings are held on Zoom and are recorded or directly streamed to Youtube. The meeting is open to the public. The agenda and meeting notes are published in this repository. The calendar entries are available in the [OpenJS Foundation calendar](https://openjsf.org/collaboration).
+<!-- The Security Working Group meets every two weeks. Meetings are held on Zoom and are recorded or directly streamed to Youtube. -->
+
+The Security Working Group meets on an ad hoc basis. The meeting is open to the public. The agenda and meeting notes are published in this repository. You can find the calendar entries in the [OpenJS Foundation calendar](https://openjsf.org/collaboration).
 
 ## Offline Discussions
 
-The Security Working Group uses the [GitHub issues](https://github.com/expressjs/security-wg/issues) for offline discussions. The discussions are open to the public and anyone can participate. Also, the group uses the channel `#express-security-wg` in the [OpenJS Foundation Slack](https://openjsf.org/collaboration) for real-time discussions.
+The Security Working Group uses [GitHub issues](https://github.com/expressjs/security-wg/issues) for offline discussion. The discussions are open to the public and anyone may participate. Also, the group uses the channel `#express-security-wg` in the [OpenJS Foundation Slack](https://openjsf.org/collaboration) for realtime discussions.
 
 ## Code of Conduct