* SECURITY.md: Try to be more explicit about trunk-only code.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935398 13f79535-47bb-0310-9956-ffa450edef68

diff --git a/SECURITY.md b/SECURITY.md
index 24bf4e3f2caa3b57dea8d987c4286116f1cbbb77..8d6acfbe1156822395629941c97959f15db13131 100644 (file)
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -8,9 +8,9 @@ demonstrate how an attacker can violate the security model.
 ## Supported Versions
 
 Currently the only supported version is the latest patch release of the
-`2.4.x` stable branch. Vulnerabilities which exist *only* in
-unreleased branches (such as `trunk`) may be treated as normal bug
-reports.
+`2.4.x` stable branch.  Vulnerabilities which exist *only* in
+unreleased branches (such as `trunk`) should be reported as normal bug
+reports via <https://bz.apache.org/bugzilla/enter_bug.cgi?product=Apache%20httpd-2>.
 
 ## Reporting Vulnerabilities
 
@@ -36,7 +36,8 @@ Any security vulnerability SHOULD be reproducible:
 1. under a reasonable, supported configuration.
 2. without using third-party modules, or modules explicitly designed
   for debugging.
-3. under a standard build on a supported platform.
+3. using the *latest* released sources published via <https://httpd.apache.org/download.cgi#apache24>.
+4. under a standard build, on a supported platform.
 
 Issues which are reproducible only using instrumented builds (such as
 ASAN, or under valgrind) should be clearly explained as such.