To clarify a bit: The release engineering team owns the branch during the release process, then hands it over to the security team.
(Of course there's always cooperation between the two teams -- the security officer has to get permission to commit to the release branch prior to the release but in practice that conversation consists of "we have a security advisory affecting the upcoming release" "go ahead". Theoretically the answer might come back "please wait a few hours because we're in the middle of builds right now" though.)
(Of course there's always cooperation between the two teams -- the security officer has to get permission to commit to the release branch prior to the release but in practice that conversation consists of "we have a security advisory affecting the upcoming release" "go ahead". Theoretically the answer might come back "please wait a few hours because we're in the middle of builds right now" though.)