Decentralized vulnerability data peer-review

Software packages vulnerabilities : let's say we have a security team that wants to track new vulnerabilities in the open source software packages , the security team subscribe to the account of each package by package-url then security teams review the new vulnerability information and validate the package vulnerable version range of x database by posting reviews and comments . Every project could get its own ActivityPub account .The security teams could get their own using any ActivityPub server .