Often projects have a security@ private list w/ just key core developers subscribed. I'm not fundamentally opposed to secalert being subscribed, but it does set a precedent that distros' security teams may expect to be involved rather than notified via somehting like oss-security.
Subscribing secalert allows us to handle reported issues in-confidence or under embargo. When security researchers who are practising responsible disclosure report issues, they often want the issue handled under embargo so that they can synchronize their own publication of the flaw with the release of a patch. There's no reason in my view that other distros' security teams can't be involved too, if they can handle issues under embargo. oss-security is publicly archived, so issues sent there can't be kept under embargo. Red Hat SRT has a set of tools that allow us to file tracking bugs for all versions of a product affected by a given flaw. Since most ovirt projects so far are using bugzilla, we can use these tools to file tracking bugs against the ovirt projects. By giving the direct feed of information to secalert, the ovirt projects will be getting triage and bug filing back, for free. Thanks David