diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index ed2827bf2d..8ec4d9b89f 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -134,13 +134,16 @@ somewhat over time and a list somewhere only risks getting outdated.
 6. On security advisory release day, push the changes on the curl-www
    repository's remote master branch.
 
-## HackerOne
+## Disclose the report
 
 Request the issue to be disclosed. If there are sensitive details present in
 the report and discussion, those should be redacted from the disclosure. The
 default policy is to disclose as much as possible as soon as the vulnerability
 has been published.
 
+*All* reports submitted to the project, valid or not, should be disclosed and
+made public.
+
 ## Bug Bounty
 
 See [BUG-BOUNTY](https://curl.se/docs/bugbounty.html) for details on the