we need a probably-doesn't-need-group-membership report. provide a report for the group owners which finds users who are not exercising their group membership (perhaps they used to require access to security bugs, but changed role).
the hard bit here is determining the criteria for "probably doesn't need access". a start may be "hasn't been involved in any bugs", which involved is "reported, assigned-to, qa-contacted, cc'd, needinfo'd, or commented".
You need to log in before you can comment on or make changes to this bug.