doc: clarify reports are only evaluated on active versions

RafaelGSS · RafaelGSS · commit 5be0f03f39d5 · 2023-04-06T11:24:00.000-03:00
PR-URL: #47341 Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
diff --git a/SECURITY.md b/SECURITY.md
@@ -31,11 +31,12 @@ maintainers.
 Here is the security disclosure policy for Node.js
 
 * The security report is received and is assigned a primary handler. This
-  person will coordinate the fix and release process. The problem is confirmed
-  and a list of all affected versions is determined. Code is audited to find
-  any potential similar problems. Fixes are prepared for all releases which are
-  still under maintenance. These fixes are not committed to the public
-  repository but rather held locally pending the announcement.
+  person will coordinate the fix and release process. The problem is validated
+  against all supported Node.js versions. Once confirmed, a list of all affected
+  versions is determined. Code is audited to find any potential similar
+  problems. Fixes are prepared for all supported releases.
+  These fixes are not committed to the public repository but rather held locally
+  pending the announcement.
 
 * A suggested embargo date for this vulnerability is chosen and a CVE (Common
   Vulnerabilities and Exposures (CVE®)) is requested for the vulnerability.
