diff --git a/security/cve_policy.rst b/security/cve_policy.rst
index f54bd7462b9e5e3491e4f3112723721a9f2c32c2..49a3dffcc93e7117589c00d61404f474649d6b76 100644
--- a/security/cve_policy.rst
+++ b/security/cve_policy.rst
@@ -4,8 +4,8 @@
 
 .. include:: ../definitions.rst
 
-Vulnerability Handling Process (draft)
-######################################
+Vulnerability Handling Process
+##############################
 
 |main_project_name| aims to build a secure system from the foundation, applying
 the best industry practices in terms of development quality. However, as in
@@ -19,6 +19,8 @@ protect deployed products, sometimes we need to delay releasing information
 related to security issues, following the industry best practices. However, all
 information about vulnerabilities is becoming publicly available at the end.
 
+This process extends `the Eclipse security process <https://www.eclipse.org/security/policy.php>`.
+
 How to Report a Vulnerability?
 ******************************
 
@@ -29,8 +31,8 @@ dedicated `security project <https://gitlab.eclipse.org/security/oniro-core>`_.
 To do so, login into our issue tracker or create a new account if you do not have one
 yet. Click on `New issue <https://gitlab.eclipse.org/security/oniro-core/-/issues/new>`_, then make sure to check the checkbox at the bottom 
 'This issue is confidential and should only be visible to team members with at least 
-Reporter access'. Please use the 'Issue' type of ticket and the associated template.
-Fill in the title, answer the questions in the 'Description' field.
+Reporter access'. Please use the 'Issue' type of ticket, on top of the Description field choose
+'default' template. Fill in the title, answer the questions in the 'Description' field.
 Then click 'Create issue'.
 
 Your report should contain a description of the issue, the steps you took to
@@ -209,6 +211,12 @@ We follow the rules of the upstream projects, if applicable.
 
 This step is an equivalent of the Fix step of the Bug process.
 
+Gitlab currently does not allow adding outside assignees to a confidential issue.
+It means that, when a team needs to add a domain expert, they need to create a
+new confidential issue and add ALL people who should be working on the ticket
+as assignees. This is currently the only workaround assuring no confidential data
+disclosure.
+
 Notify
 ^^^^^^