From 7ab27d275bd269b86ab3be3b2e4911b92e0b678a Mon Sep 17 00:00:00 2001
From: Asra Ali <asraa@google.com>
Date: Tue, 11 Oct 2022 16:13:02 -0500
Subject: [PATCH] address reproducibility

Signed-off-by: Asra Ali <asraa@google.com>
---
 docs/SECURITY.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index 9b645f7a..9c6315b8 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -10,6 +10,7 @@ You may report issues for the most recent version of go-tuf. We will not retroac
 
 If you discover a potential security issue in this project we ask that you notify the go-tuf maintainers via our [vulnerability reporting form](https://forms.gle/ShM4s3mLbUAx5QHo8). At the minimum, the report must contain the following:
 * A description of the issue.
+* A specific version or commit SHA of `go-tuf` where the issue reproduces.
 * Instructions to reproduce the issue.
 
 Please do **not** create a public GitHub issue to submit vulnerability reports. The GitHub issue tracker is intended for bug reports and feature requests. Major feature requests, such as design changes to the specification, should be proposed via a [TUF Augmentation Protocol](https://theupdateframework.github.io/specification/latest/#tuf-augmentation-proposal-tap-support) (TAP).