Yeah, Tidelift partners with OpenSSF, I think. They give us some tasks to implement, including security-
related ones. They even invited us to participate in some research in the past but I ended up not joining.
Additionally, both active maintainers have a lot of other projects in their care, which results on scaling
new maintenance approaches (including security) across many repositories. We may not be very active
in the repository as the framework is pretty much feature-complete but we're still watching over everything
with care and try adopt best practices as we streamline them across many other projects.
-S