diff --git a/SECURITY.md b/SECURITY.md
index 991247e072..c9313acaf0 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -3,3 +3,10 @@ To report security vulnerabilities, open a normal bug report in the
 
 Additionally, you can use GitHub Private security advisories against this
 repository to report issues.
+
+Note that I will respond to security communication within 72 hours. Once
+the bug is confirmed, it will be fixed or at least mitigated within another 72
+hours, at which time the fix will typically be committed to master and hence be
+public. That timeline might be extended based on the severity of the issue and the
+current state of master in terms of making a new release, if so, it will be
+done in consultation with the issue reporter.