secureCodeBox · Weltraumschaf · Aug 29, 2025 · Aug 25, 2025 · Aug 25, 2025 · Aug 25, 2025
diff --git a/SECURITY.md b/SECURITY.md
@@ -7,35 +7,42 @@ SPDX-License-Identifier: Apache-2.0
 # Security Policy
 
 ## Supported Versions
+
 Our _release cycle_ for new features (minor [semver](https://semver.org/) update)
-is roughly every two weeks (we will usually make a new release after each review). 
+is roughly every four weeks (we will usually make a new release after each sprint review).
 
 | Version | Security Fixes* | Supported** |
 | ------- | ------------------ | ------------------ |
-| 4.x.x | :white_check_mark: | :white_check_mark: |
-| 3.15.x | :white_check_mark: | :white_check_mark: |
-| <= 2.9.x | :x: | :x: |
-| < 2.0 | :x: | :x: |
+| 5.x.x | :white_check_mark: | :white_check_mark: |
+| 4.16.x | Critical issues only | :x: |
+| <= 3.15.x | :x: | :x: |
 
 ### Major Release (Semver)
+
 _Upcoming major updates_ will come with a time window in which both _major versions_ (starting with v2.x.x)
-will receive security updates and bugfixes. The concrete support intervall will be probably a couple of months
-and will be published when the next major version will be released.
+will receive security updates and bugfixes. The concrete support interval will probably be a couple of months
+and will be published when the next major version is released.
 
 ### Minor Release/Feature Releases (Semver)
+
 We currently plan to provide support for the _latest minor [semver](https://semver.org/)_ release only.
 
 ### Patch Release/Bugfix/Security Fix
+
 We try to make bugfixes and high severity fixes available as patch release for the current minor release
 as early as possible.
 
 ## Extended (Enterprise) Support
-If you are interested in extended support for older versions with security updates of our project 
+
+If you are interested in extended support for older versions with security updates of our project
 please get in touch with the project team via Slack or email <secureCodeBox@iteratec.com>.
 
 ## Reporting a Vulnerability
-You have found a vulnerability in the project that shouldn't be disclosed as public issue before it's fixed?
-Please get in touch with the project team via Slack or email <secureCodeBox@iteratec.com>. 
 
-You can expect a fast reaction within the next days. 
-We will keep you updated about the next steps and inform you if the vulnerability is accepted and when its fixed or if its ordeclined somehow.
+You have found a vulnerability in the project that shouldn't be disclosed as a public issue before it's fixed?
+Please report it using GitHub Security Advisories at https://github.com/secureCodeBox/secureCodeBox/security/advisories.
+
+If you are unable to use GitHub advisories, please email the project leaders at their OWASP email addresses that can be found under https://github.com/OWASP/www-project-securecodebox/blob/master/leaders.md.
+
+You can expect a fast reaction within the next few days.
+We will keep you updated about the next steps and inform you if the vulnerability is accepted and when it's fixed or if it's declined somehow.