diff --git a/SECURITY.md b/SECURITY.md
index bedcea15ae..eb24e8b322 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,19 +6,21 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
## Reporting a Vulnerability
-1. **Private first.**
+* **Private first.**
Do **not** open a public GitHub issue or pull request.
-2. **Use the repository Security tab.**
- • Click **“Security ➜ Report a vulnerability.”**
- • This creates a private, access-restricted issue visible only to Kata maintainers and designated security champions.
+* **Use the offical Github documentation on how to report a vulnerability.**
+ [Creating a repository security advisory](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory#creating-a-security-advisory)
-3. **Response targets (OpenSSF guidelines).**
- | Action | Target time | Notes |
- | ------ | ----------- | ----- |
- | Initial maintainer response | **≤ 14 calendar days** | Acknowledge receipt and begin triage. |
- | Triage & severity scoring | **≤ 30 days** | We follow CVSS v3.1. |
- | Fix availability | **Next scheduled monthly release**
(or an out-of-band patch release for Critical/High issues) | We may cut `vX.Y.Z` if waiting a full month poses undue risk. |
+### What to Expect
+
+Once you've reported a vulnerability, here's what you can expect from our security response process. We follow OpenSSF guidelines for response timing:
+
+| Action | Target time | Notes |
+| ------ | ----------- | ----- |
+| Initial maintainer response | **≤ 14 calendar days** | Acknowledge receipt and begin triage. |
+| Triage & severity scoring | **≤ 30 days** | We follow CVSS v3.1. |
+| Fix availability | **Next scheduled monthly release**
(or an out-of-band patch release for Critical/High issues) | We may cut `vX.Y.Z` if waiting a full month poses undue risk. |
---
@@ -26,7 +28,7 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
| Release | First published | Security-fix window |
|---------|-----------------|---------------------|
-| **Latest monthly release** | see `git tag -l` | Actively maintained |
+| **Latest monthly release** | see `git tag --sort=-creatordate \| head -n 1` | Actively maintained |
| Any prior release | — | **Unsupported** – please upgrade |
> **Why no backports?**
@@ -38,10 +40,10 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
1. We develop the fix on a private branch.
2. Once validated, we coordinate embargo dates with downstream consumers when appropriate.
-3. The fix ships in **either**:
- * A point release (e.g., `v3.18.1`) if the vulnerability affects only the current series, **or**
- * The next regular monthly release (e.g., `v3.19`) when impact is moderate and waiting does not materially increase risk.
-4. After the fix is public, we request a CVE ID (if not already issued) and publish details.
+3. We request a CVE ID from MITRE (or another CNA) if one hasn't already been assigned.
+4. The fix and vulnerability details are published together in **either**:
+ * Common: The next regular monthly release (e.g., `v3.19`) when impact is moderate and waiting does not materially increase risk, **or**
+ * Exception: A point release (e.g., `v3.18.1`) if the vulnerability affects only the current series.
---
@@ -64,7 +66,7 @@ Kata Containers is a **rolling-release** project: every monthly release replaces
A: No. Upgrade to the latest monthly release.
**Q: Can I get early access to embargoed fixes?**
-A: Only project members under the disclosure agreement (see [SECURITY_CONTACTS](https://kata-containers/kata-containers/SECURITY_CONTACTS)) receive advance patches.
+A: Only project members under the disclosure agreement (see [SECURITY_CONTACTS](SECURITY_CONTACTS)) receive advance patches.
**Q: Where can I discuss the vulnerability once it is public?**
A: Open/continue a GitHub issue **after** the advisory is published, or use `#kata-containers` on Slack with a link to the advisory.
diff --git a/SECURITY_CONTACTS b/SECURITY_CONTACTS
index e6b1fdccc6..4e256b39b7 100644
--- a/SECURITY_CONTACTS
+++ b/SECURITY_CONTACTS
@@ -1,9 +1,13 @@
+# Copyright (c) 2025 Kata Containers Authors
+#
+# SPDX-License-Identifier: Apache-2.0
+#
# Defined below are the security contacts for this repo.
#
# They are the contact point for the Product Security Committee to reach out
# to for triaging and handling of incoming issues.
#
# DO NOT REPORT SECURITY VULNERABILITIES DIRECTLY TO THESE NAMES, FOLLOW THE
-# INSTRUCTIONS AT hhttps://github.com/kata-containers/kata-containers/security
+# INSTRUCTIONS AT [SECURITY.md](SECURITY.md)
@kata-containers/architecture-committee