Add CVE commitment clarity (#511)

JamesW1 · James White · web-flow · commit 07f34fccc26c · 2025-12-04T18:15:05.000Z
add CVE commitment clarity

Co-authored-by: James White &lt;jameswhite@Jamess-MacBook-Pro.local&gt;
diff --git a/content/community/4.reporting-and-support/3.security-reporting.md b/content/community/4.reporting-and-support/3.security-reporting.md
@@ -3,6 +3,8 @@ title: Security Reporting
 description: How to report security issues in Directus.
 ---
 
+### Reporting a Security Issue
+
 If you believe you have discovered a security issue within a Directus product or service, please [open a new private security vulnerability report through GitHub](https://github.com/directus/directus/security/advisories/new). Alternatively, reach out to us directly over email: [security@directus.io](mailto:security@directus.io). We will then open a GitHub security advisory for tracking the fix on your behalf.
 
 Directus values the members of the independent security research community who find security vulnerabilities and work with our team so that proper fixes can be issued to users. Our policy is to credit all researchers in the fix's release notes. In order to receive credit, security researchers must follow responsible disclosure practices, including:
@@ -11,3 +13,10 @@ Directus values the members of the independent security research community who f
 - They do not divulge exact details of the issue, for example, through exploits or proof-of-concepts
 
 You can learn more about how we approach security and compliance at Directus [here](https://directus.io/security).
+
+### Approach to Vulnerability Management
+
+Directus takes a proactive approach to security by continuously monitoring for vulnerabilities using automated tools as part of our engineering pipelines. We are committed to addressing all High and Critical severity vulnerabilities that directly affect Directus. Our priority is to resolve vulnerabilities that impact Directus itself immediately, with fixes posted to the [Security tab](https://github.com/directus/directus/security) on GitHub after release.
+
+For third-party package vulnerabilities that do not cause any vulnerability in Directus itself, we evaluate these on a case-by-case basis and address them during our regular dependency update cycles. We also work to resolve Medium and Low severity issues when they represent minimal effort to fix. This focused approach ensures we allocate our security resources effectively while maintaining the highest standards of protection for our users.
+
