I’m not sure that a clear definition has been given.
The flexible nature of a community project like this is valuable. But structure is also valuable. I want to emphasize again the benefits of creating user profiles that are of interest to the community. This will help people keep realistic threats in mind. And people who are focused on a more narrow scope might notice a problem that doesn’t fit into their scope, but being primed with the range of threats that are of interest would make it more likely for them to notice those problems. And I like to think that most people would responsibly report a problem if they see it even if it doesn’t impact them directly.
I also want to note that I would typically love to participate more in a process like this, but I’m currently working on creating a Guix template for QubesOS while also working on an academic portfolio so that I’ll actually get admitted to school the next time around on top of working a full-time job so I can pay the bills… so I don’t have much spare time at the moment. =(