From b27950ceae52aa7a0f482494fe67b6069234d417 Mon Sep 17 00:00:00 2001
From: Jacob Rothstein <hi@jbr.me>
Date: Wed, 24 Jan 2024 09:43:19 -0800
Subject: [PATCH] security: Indicate that a draft security advisory is
 insufficient notification

---
 SECURITY.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index ebc1b2278d..e175c01ab7 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -5,4 +5,10 @@
 Until Trillium reaches 1.0, only the most recent release will be certainly be supported for security updates, but an effort will be made to backport critical patches when possible.
 
 ## Reporting a Vulnerability
-To report a vulnerability, email [hi@jbr.me](mailto:hi@jbr.me)
+
+To report a vulnerability, email [hi@jbr.me](mailto:hi@jbr.me) and/or contact me on [signal](https://signal.group/#CjQKIAarILo8OPFVt2qMCYgtDsPwOwwf_zVkZcDi7HEnF-BUEhAOAw28LIdxCfjbSiOJ36jB). The latter is an experiment, so please follow up by email additionally for now.
+
+Feel free to [draft a GitHub Security Advisory](https://github.com/trillium-rs/trillium/security/advisories/new) in addition to the above.
+
+> [!IMPORTANT]
+> Please do not _exclusively_ file a GitHub security advisory without also reaching out on another channel. GitHub's notifications for draft security advisories are inadequate and too easily missed.