Currently, the general reference is "30 days notice" but this is really 30 days to get a review done from top to bottom. That is probably aggressive as this backlog grows.
We already set an expectation here:
Typically, WMF teams or MediaWiki developers embarking on a new project should plan to have 2 or 3 check-ins with the Security Team.
But this seems to not be grabbing attention and we are seeing reviews (even significantly sized ones) surface for the first time 30 days or less from expected launch.
Differentiation between expected timeline for first engagement with the Security Team and expected timeline for review work is needed.
https://www.mediawiki.org/wiki/Security/SOP/Security_Readiness_Reviews
https://www.mediawiki.org/wiki/Security/SOP/Security_Concept_Reviews
We also have T242791: Implement an 'Estimated Start Date' field in Phab in the works to help with communicating flow through our process with task attributes but the expectations themselves have to first be represented in the SOP.
Possibly also address the use of the new Est Start Date field from T242791?