The vetting process is not meant to be something where you interrogate your contributors. It is more to say that you shouldn’t trust every contribution blindly. In practice, many of us will look at the GitHub profile of an unfamiliar contributor, and use a “web of trust” type of approach, where seeing membership in a known lab’s GitHub organization or experience contributing to know projects as a good sign.

While these are useful signals, they are not foolproof. It is important to still be distrustful of contributions from unknown sources, and to be especially careful reviewing pull requests from external contributors.