From e77e29378826a8f095b791ab73985386f298400f Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Wed, 21 Jan 2026 14:21:13 -0300
Subject: [PATCH] doc: add CVE delay mention

---
 SECURITY.md | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 2270a0161feb89..5a90b8ff41d072 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -348,6 +348,21 @@ Security notifications will be distributed via the following methods.
 * <https://groups.google.com/group/nodejs-sec>
 * <https://nodejs.org/en/blog/vulnerability>
 
+### CVE publication timeline
+
+When security releases are published, there is a built-in delay before the
+corresponding CVEs are publicly disclosed. This delay occurs because:
+
+1. After the security release, we request the vulnerability reporter to disclose
+   the details on HackerOne.
+2. If the reporter does not disclose within one day, we proceed with forced
+   disclosure to publish the CVEs.
+3. The disclosure then goes through HackerOne's approval process before the CVEs
+   become publicly available.
+
+As a result, CVEs may not be immediately available when security releases are
+published, but will typically be disclosed within a few days of the release.
+
 ## Comments on this policy
 
 If you have suggestions on how this process could be improved, please visit