diff --git a/documentation/content/en/books/porters-handbook/security/_index.adoc b/documentation/content/en/books/porters-handbook/security/_index.adoc
--- a/documentation/content/en/books/porters-handbook/security/_index.adoc
+++ b/documentation/content/en/books/porters-handbook/security/_index.adoc
@@ -313,3 +313,13 @@
 ....
 
 The former version matches while the latter one does not.
+
+[[security-xcheck-vuxml]]
+=== Cross-checking Derivatives
+
+If an upstream project has a known vulnerability, check whether derivatives or
+forks of the project included in the ports tree are also affected.
+For example, if a vulnerability is discovered in package:www/firefox[], assess
+whether derivatives like package:www/librewolf[], package:www/waterfox[] or
+other similar projects share the same vulnerability. Include all affected
+derivatives in the VuXML entry, ensuring that users of these ports are informed.