diff --git a/SECURITY.md b/SECURITY.md
index 739ff70..5af8e4d 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -8,10 +8,14 @@ If you discover a security vulnerability in KnotCode, please report it responsib
 
 Instead, DM [**@BunsDev**](https://x.com/BunsDev) or use [GitHub's private vulnerability reporting](https://github.com/OpenKnots/code-editor/security/advisories/new).
 
-<!-- Instead, email **security@openknot.ai** or use [GitHub's private vulnerability reporting](https://github.com/OpenKnots/code-editor/security/advisories/new). -->
-
 We will acknowledge your report within 48 hours and aim to release a fix within 7 days for critical issues.
 
+## Supported Versions
+
+KnotCode ships as a continuously-updated static app, so security fixes land in
+the latest release. Please make sure you're on the most recent version before
+reporting an issue, and upgrade to pick up any fix.
+
 ## Scope
 
 This policy covers:
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index 4576a8f..39ff837 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -1,5 +1,7 @@
 # Security Runbook
 
+> **Reporting a vulnerability?** See [`../SECURITY.md`](../SECURITY.md) for the disclosure policy and contact info.
+
 This document defines how KnotCode handles secrets, responds to leaks, and manages git author privacy.
 
 ## Secret Handling Policy