It seems GitHub are making "security alerts" on repos more visible to those with rights... https://help.github.com/articles/about-security-alerts-for-vulnerable-dependencies/
These relate to Ruby gems, java, NPM packages
Manually copy pasting the announce to phabricator security tasks does not scale, we should look at some way of processing/dealing with these. We would need a system that is more reliable. Maybe by having github to send an email handled by Phabricator which would then create the tasks for us?