Per the docs: https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment#Preparing_for_deployment
to open a request create a security readiness review task and mark it as a subtask of the production deployment tracking task (via "Edit Task" in the upper right corner). A security readiness review can be a blocker for production deployment depending upon the details of the request and its results.
From item 4 of "preparing for deployment" https://www.mediawiki.org/wiki/Writing_an_extension_for_deployment#Preparing_for_deployment:
While it is strongly recommended to have a security readiness review performed prior to beta cluster deployment, the timing of various project milestones and the nature of the project itself may not accommodate this. In this case, it is best to discuss any proposed beta cluster deployments with the Security Team outside of any requested reviews.
We'd like to give the security team enough time to review the extension code, but we also want it on beta cluster in order to get feedback from community members. So, I would propose that we start the security review process after we've got some more code and infrastructure in place, and after we've already enabled on one or two beta cluster wikis. (cc @sbassett)
Sounds good. Ideally we'd prefer codebases as close to production-ready as possible for security review.