Index: en_US.ISO8859-1/htdocs/security/security.xml
===================================================================
--- en_US.ISO8859-1/htdocs/security/security.xml
+++ en_US.ISO8859-1/htdocs/security/security.xml
@@ -52,6 +52,44 @@
       href="reporting.html">reporting FreeBSD security incidents</a>
     page.</p>
 
+  <a name="when-reporting"></a>
+  <h2>When is a Security Advisory considered?</h2>
+
+  <p>For every issue that gets reported, an internal tracking number is
+    created, unless something is very obviously not a security issue.
+    To determine whether or not a Security Advisory is warranted we use
+    the following scheme:</p>
+
+  <ul>
+    <li>Is it a privilege escalation vulnerability?</li>
+    <li>Is it a code injection vulnerability?</li>
+    <li>Is it a memory disclosure or dataleak vulnerability?
+      <ul>
+	<li>From either the kernel</li>
+	<li>From a privileged process</li>
+	<li>From a process owned by another user?</li>
+      </ul>
+    </li>
+    <li>Is it a Denial of Service vulnerability?
+      <ul>
+	<li>Only when remotely exploitable, where remotely means that it
+	  comes from a different broadcast domain, so ARP and/or NDP based
+	  attacks do not qualify.</li>
+      </ul>
+    </li>
+    <li>Is it an unassisted jailbreak vulnerability?</li>
+    <li>Is it a malfunction that could lead to generating insecure crypto keys,
+      such as a PRNG bug?</li>
+  </ul>
+
+  <p>For items that fall under these categories, a Security Advisory is very likely.
+    Items that are not on this list are looked into individually and it will be determined
+    then whether or not it will receive a Security Advisory or an Errata Notice.</p>
+
+  <p>Once it had been determined that a Security Advisory is warranted, either the
+    submitter delivers a CVE number if he/she already requested one, or we use one
+    from the FreeBSD pool available.</p>
+
   <a name="recent"></a>
   <h2>Recent FreeBSD security vulnerabilities</h2>