diff --git a/SECURITY.md b/SECURITY.md
index 638034762..3fe384227 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -6,4 +6,4 @@ Sandstorm operates on an evergreen release model. Only the latest release is con
 
 ## Reporting a Vulnerability
 
-Please report security vulnerabilities to security@sandstorm.io for responsible disclosure. We ask that you hold disclosure for at least 90 days from disclosure or 48 hours from patch release, whichever is shorter.
+Please report security vulnerabilities to security@sandstorm.io for responsible disclosure. We ask that you withhold public disclosure for at least 90 days after reporting the vulnerability or 48 hours after the release of fixed code which corrects the issue, whichever is shorter.