diff --git a/CHANGELOG.md b/CHANGELOG.md
index 51d45f2..b519414 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -34,6 +34,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
  - BREAKING CHANGE: slightly modified header field format, removing redundant MAC field and making it adherent to documentation.
  - Action `init` now reads password from secure interface (not echoing characters, etc).
+ - Updated instructions in `SECURITY.md`.
 
 
 ## [0.3.1] - 2023-07-15
diff --git a/SECURITY.md b/SECURITY.md
index f2e26ae..f61e9ac 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,7 +4,7 @@ This file contains guidelines and policies for reporting and addressing security
 
 ## Reporting a Vulnerability
 
-Please notice that Shufflecake is still experimental, so we are not actively tracking vulnerabilities at this stage. In the future we will add information to report suspected vulnerabilities.
+Please notice that Shufflecake is still experimental, so we are not managing vulnerabilities in a confidential manner at this stage. In the future we will add information to confidentially report suspected vulnerabilities. For now, any vulnerability should be considered a bug and reported in the git issue tracker.
 
 <!---
 Please report (suspected) security vulnerabilities to **[securityATshufflecake.net](mailto:securityATshufflecake.net)**. In the future we will add a dedicated PGP key to allow you to encrypt communication to this address. GPG signing of your communication is welcome, but you can also report anonymously.