When security advisories are announced there needs to be co-ordination between Security tooling such as cveprocess.apache.org and the ATR.
For every impacted release with an SBOM we could link SBOMs to advisories.
Per @raboof: "SBOMs should ideally be immutable metadata for release artifacts and not touched afterwards. There are various 'SBOM-adjacent' formats to link SBOMs/artifacts to advisories, though (notably VDR) and we definitely might want to publish those in the future"
Note: whether this is an explicit phase or not depends on integration discussions with the security team. Current feedback from Arnout is that we should defer this feature for now.