So this guideline: "Changesets need to add the Wikimedia Security group as reviewers. No single team member should be singled out for review." - that... really just doesn't happen IME. And I'm not sure it even makes sense. 99.9% of all "security-related" change sets are likely only relevant for Maryum, Sam and myself. Maybe it makes sense to have a gerrit-security-review group with just us in it? The other thing is that a lot of people just don't know how/when to add us to gerrit change sets, even though we've tried to socialize this a bit. Though if we sent out something more along the lines of "every team and volunteer should tag security team members for any change set they think is vaguely security-related", it would break us, as we couldn't even begin to keep up with that volume of code.
