Thanks Hangdog42, I believe you're right about that.
The core team will probably be the ones who establish the principles up front and later members must agree to be able to join. If everyone agrees then the ongoing risk assessment could be handled by just reporting possible new threats as the projects move along. The core team could evaluate if the risk is relevant and work out a contingency plan to counter it (this is just one possibility I thought of myself and I haven't found anyone supporting it yet).
And yes it was I who started the thread, but after changing my mail information the account was deactivated (re-activation link was useless). Still waiting for reply from the webmasters, but until then I will have to use this account... They're probably as busy as me