project maintainers, drivers, and bug supervisors, should always have access to private bugs. They should not need a subscription to access their own project's private artefacts.
At UDS-n, it was discovered that all the users interviewed thought users in project roles could see private bugs. Even experienced users thought this. This is sort of true since the project own sets the bug supervisor team and can make all teams in the other roles members of that team, but that does not give those roles access to the historic bugs. Even Canonical employees have been burned by this -- once they changed the bug supervisor, they learned that no one in the project roles could access the hundred of private bugs.
This issue not relate to or propose changing how security bugs are handled. They will still require direct subscriptions and will continue to be brittle like private bug subscriptions are.
I think 'project roles' needs to be defined much more clearly - 'blueprint driver' wouldn't imply 'can see CVE vulnerabilities' IMO.