The Security contact (or contacts) for an identity provider or service provider is a contact point during a security incident response, and can be a service function such as "Security Operations" or individuals' email addresses. If the security contact is a mailing list or alias, it must be possible to send emails to this address from outside the registrant organisation since, by their nature, federated security incidents cross organizational boundaries. These contact details are published in metadata and elsewhere.
A Security contact can only be appointed or replaced by a Management Contact or an Administrative Contact for that entity.
Including a security contact is RECOMMENDED for all entities. There MUST be one or more security contacts for entities which are are part of the Sirtfi trust framework.