In order to generate the list of security group members dynamically, it would be best to update contributors.son and then generate this web page: https://webkit.org/old/security/security-group-members.html
Isn't this an escalation of privilege? Not everyone who can edit this file is a security group member.
It is just the list for the website. It puts it in a central location that we can generate the page from.
Putting the flags in contributors.json at least means it goes through the review process, whereas now it is just a page on the site.
In fact, we encourage always landing contributors.json changes without review, and normally without a Bugzilla bug either. There is very little scrutiny over changes to this file, and I would be in favor of reducing our reliance on it.