From f183b75a07db0dd92c4ddc346f51c1ffdcd91d3b Mon Sep 17 00:00:00 2001
From: Louis Lam <louislam@users.noreply.github.com>
Date: Sun, 16 Nov 2025 20:45:49 +0800
Subject: [PATCH] Update security reporting instructions in SECURITY.md

Clarify reporting guidelines for security issues.
---
 SECURITY.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index ad252370b..708244797 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -8,7 +8,8 @@
    do not send a notification, I probably will miss it without this.
    <https://github.com/louislam/uptime-kuma/issues/new?assignees=&labels=help&template=security.md>
 
-Do not use the public issue tracker or discuss it in public as it will cause
+- Do not report any upstream dependency issues / scan result by any tools. It will be closed immediately without explainations. Unless you have PoC to prove that the upstream issue affected Uptime Kuma.
+- Do not use the public issue tracker or discuss it in public as it will cause
 more damage.
 
 ## Do you accept other 3rd-party bug bounty platforms?