From a9f35523c9b2636a052410242c0c773ef5806bcf Mon Sep 17 00:00:00 2001
From: Zanie Blue <contact@zanie.dev>
Date: Tue, 28 Jan 2025 14:36:53 -0600
Subject: [PATCH] Add CVE disclosure to security policy (#11037)

---
 SECURITY.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index b6cd79cf9..d60e03fba 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -21,3 +21,8 @@ If you have found a possible vulnerability that is not excluded by the above
 
 While we sincerely appreciate and encourage reports of suspected security problems, please note that
 Astral does not currently run any bug bounty programs.
+
+## Vulnerability disclosures
+
+Critical vulnerabilities will be disclosed via GitHub's
+[security advisory](https://github.com/astral-sh/uv/security) system.