From 39cc684c6abe4a0a5b193aaa3a37c862ca8acb3d Mon Sep 17 00:00:00 2001
From: Danny Canter <danny@dcantah.dev>
Date: Thu, 1 Dec 2022 04:59:31 -0800
Subject: [PATCH] docs: Add extra security instructions

Update to point to containerd/project documentation that lists a new
way to report a security vulnerability on Github directly.

Signed-off-by: Danny Canter <danny@dcantah.dev>
---
 README.md   | 2 +-
 RELEASES.md | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 4d25524fd..4d0f7f04e 100644
--- a/README.md
+++ b/README.md
@@ -328,7 +328,7 @@ A third party security audit was performed by Cure53 in 4Q2018; the [full report
 
 ### Reporting security issues
 
-__If you are reporting a security issue, please reach out discreetly at security@containerd.io__.
+Please follow the instructions at [containerd/project](https://github.com/containerd/project/blob/main/SECURITY.md#reporting-a-vulnerability)
 
 ## Licenses
 
diff --git a/RELEASES.md b/RELEASES.md
index c307447c6..6d4b8b019 100644
--- a/RELEASES.md
+++ b/RELEASES.md
@@ -164,7 +164,10 @@ one of three ways:
 2. Open a PR with cherry-picked change from main.
 3. Open a PR with a ported fix.
 
-__If you are reporting a security issue, please reach out discreetly at security@containerd.io__.
+__If you are reporting a security issue:__
+
+Please follow the instructions at [containerd/project](https://github.com/containerd/project/blob/main/SECURITY.md#reporting-a-vulnerability)
+
 Remember that backported PRs must follow the versioning guidelines from this document.
 
 Any release that is "active" can accept backports. Opening a backport PR is