I am part of the security function within my organisation and thus would like to receive and consolidate known vulnerabilities across our repos. My colleagues and I tried following your instructions at https://help.github.com/en/articles/managing-alerts-for-vulnerable-dependencies-in-your-organizations-repositories, however we found that it was not possible to add me to the list of people who should receive vulnerability alerts for a repo unless I was both: a) a member of that repo, and b) have at least ‘write’ permission to the repo.
It goes without saying that I don’t necessarily want members of the security team having access to all repos, and certainly not write access (principle of least privilege and all), and yet should be able to be added to the list of users who receive the vulnerability alerts so that we can triage, mitigate, etc.
Would it be possible to add non-repo members (but organisation members) to the list of users who can receive the alerts? Naturally this would still be done by the repo owner(s).