diff --git a/definitions.rst b/definitions.rst
index 0b9b9ed0eded4da7ee84f0fcecb0f4c5291f3872..2279d957730c9caf3f7a054579a5aecca8c2bd23 100644
--- a/definitions.rst
+++ b/definitions.rst
@@ -5,3 +5,4 @@
 .. |contact_info| replace:: <TBD>
 .. |security_contact| replace:: <TBD>
 .. |security_public_key| replace:: <TBD>
+.. |security_bugtracker| replace:: <https://git.ostc-eu.org/security-team/security-bugs/-/issues>
diff --git a/security/cve_policy.rst b/security/cve_policy.rst
index 5d54a8d47d84cb61bed41a618eef27c50ea03978..a77692ae2d789964fae57981f9cd4a79d313f708 100644
--- a/security/cve_policy.rst
+++ b/security/cve_policy.rst
@@ -24,15 +24,21 @@ How to report a vulnerability?
 
 If you think you have found a security issue in our distribution, please contact
 us immediatelly by posting a confidential issue in our bug tracker in a
-dedicated security project (include details on how to make it confidential), or
-by email using the address |security_contact|.
+dedicated `security project |security_bugtracker|`.
+
+To do so, login into our issue tracker or create a new account if you do not have one
+yet. Click on ``New issue``, then make sure to check the checkbox at the bottom 
+'This issue is confidential and should only be visible to team members with at least 
+Reporter access'. Please use the 'Issue' type of ticket and the associated template.
+Fill in the title, answer the questions in the 'Description' field.
+Then click 'Create issue'.
 
 Your report should contain a description of the issue, the steps you took to
 reproduce the issue (including the image name), affected versions, and, if
 known, any mitigations for the issue.
 
-If desired, you can also use GPG-encrypted email using our public key
-|security_public_key|.
+We plan to add a security-related mailing list and a possibility to send
+GPG-encrypted email in the near future.
 
 We aim to acknowledge the reception within one working day, and responding with
 a first assessment within three working days. We follow a 90 days disclosure