prometheus · machine424 · Jul 21, 2025 · Jul 15, 2025 · Jul 18, 2025 · SuperQ
diff --git a/docs/operating/security.md b/docs/operating/security.md
@@ -23,12 +23,21 @@ This page describes the general security assumptions of Prometheus and the
 attack vectors that some configurations may enable.
 
 As with any complex system, it is near certain that bugs will be found, some of
-them security-relevant. If you find a _security bug_ please report it
-privately to the maintainers listed in the MAINTAINERS of the relevant
-repository and CC [email protected]. We will fix the issue as soon
-as possible and coordinate a release date with you. You will be able to choose
-if you want public acknowledgement of your effort and if you want to be
-mentioned by name.
+them security-relevant. If you discover a _security bug_ that has not yet been
+publicly disclosed, please report it privately to the maintainers listed in the
+MAINTAINERS of the relevant repository and CC [email protected].
+We will fix the issue as soon as possible and coordinate a release date with
+you. You will be able to choose if you want public acknowledgement of your
+effort and if you want to be mentioned by name.
+
+For _security bugs_ that have already been publicly disclosed and require more than
+just a dependency version bump to fix, please open a
+[Bug report](https://github.com/prometheus/prometheus/issues) including all relevant
+details, unless one has already been filed.
+
+Most dependency version updates are handled automatically. However, if a _security bug_
+fix only requires updating a dependency version and our automation missed it, feel
+free to submit the update directly.
 
 ## Automated security scanners