diff --git a/SECURITY.md b/SECURITY.md
index 340e7deba0..035adf17e8 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,14 +2,24 @@
 
 ## Reporting Vulnerabilities
 
-> **Warning** : Please do not create GitHub issues for security vulnerabilities.
+> **Warning:** Do **not** create GitHub issues for security vulnerabilities.
 
-WSO2 takes security issues very seriously. If you have any concerns regarding 
-our product security or have uncovered a security vulnerability, we strongly 
-encourage you to report that to our private and highly confidential security 
-mailing list: security@wso2.com first, without disclosing them in any forums, 
-sites, or other groups - public or private. To protect the end-user security, 
-these issues could be disclosed in other places only after WSO2 completes its 
-[Vulnerability Management Process](https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Management+Process).
+WSO2 takes security very seriously. If you discover a security vulnerability, please report it **privately** to [security@wso2.com](mailto:security@wso2.com) before sharing it publicly. Do **not** disclose it in forums, websites, or other groups, whether public or private.
 
-[WSO2 guidelines for reporting a security vulnerability](https://docs.wso2.com/display/Security/WSO2+Security+Vulnerability+Reporting+Guidelines) page describes how to report a Security Vulnerability and includes a public key if you wish to send secure messages to security@wso2.com
+To protect end‑user security, vulnerabilities should only be made public **after WSO2 completes its internal vulnerability handling process**.
+
+### How to Report a Security Vulnerability
+
+1. **Report privately first:** Send a detailed report to `security@wso2.com`.  
+2. **Include key information:**  
+   - Affected WSO2 product name and version.  
+   - A high‑level description of the issue.  
+   - Steps to reproduce the vulnerability (screenshots or steps if applicable).  
+   - Your own severity assessment and impact.  
+3. **Confidential communication:** If you wish to send secure messages, use the PGP public key for `security@wso2.com` (available via the [WSO2 Security portal](https://security.docs.wso2.com/)).  
+4. **WSO2 response process:**  
+   - WSO2 acknowledges the report and investigates.  
+   - If the report is valid, patches are created and tested internally.  
+   - After mitigation and agreed timelines, a public announcement may be made.
+
+This embedded guidance ensures users have clear instructions on reporting vulnerabilities without relying on external links that may not be accessible.