diff --git a/SECURITY.md b/SECURITY.md
index 7727307..2ab2445 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -17,18 +17,24 @@ To file a incident, please disclose by email to security@caos.ch a list with the
 
 At the moment GPG encryption is no yet supported, however you may sign your message at will.
 
-### When should I report a vulnerability?
+### When should I report a vulnerability
 
 * You think you discovered a ...
   * ... potential security vulnerability in the SDK
   * ... vulnerability in another project that this SDK bases on
 * For projects with their own vulnerability reporting and disclosure process, please report it directly there
 
-### When should I NOT report a vulnerability?
+### When should I NOT report a vulnerability
 
 * You need help applying security related updates
 * Your issue is not security related
 
 ## Security Vulnerability Response
 
-## Public Disclosure Timing
+## Public Disclosure
+
+All accepted and mitigated vulnerabilitys will be published on the [Github Security Page](https://github.com/caos/oidc/security/advisories)
+
+### Timing
+
+We think it is crucial to publish advisories `ASAP` as mitigations are ready. But due to the unknow nature of the discloures the time frame can range from 7 to 90 days.