Keep in mind that while I am employed by the Linux Foundation, I know nothing of the internals of this project; I will speak, instead, of what the projects I support do.

I have found (c) to be high noise, low signal. We're winding down our HackerOne program.

D: we do this in a couple ways. For PQCA, for instance, we use credits from AWS to get access to hardware to run proofs and CI on. PQCA also has a paid mentorship program.

For OWF, we do the same with AWS credits, as well as provide hosting for projects to run services on for testing.

For LFDT, we offer paid mentorships, have paid for Trail of Bits to do reviews, and run events. We had a maintainer summit in New York in January so our maintainers could meet for two days face-to-face. We fund large GitHub CI runners for projects as well.

I know it doesn't answer everything, but our team is only a few people and we really do work hard to help developers. What I'll call the devrel team for OWF/PQCA/LFDT is three FTE, one contractor, and our manager.

LFDT: https://www.lfdecentralizedtrust.org/

OWF: https://openwallet.foundation/

PQCA: https://pqca.org/

PQCA benchmarks, for instance: https://pq-code-package.github.io/mldsa-native/dev/bench/