diff --git a/SECURITY.md b/SECURITY.md
index ad252370b..34111c258 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -8,7 +8,8 @@
    do not send a notification, I probably will miss it without this.
    <https://github.com/louislam/uptime-kuma/issues/new?assignees=&labels=help&template=security.md>
 
-Do not use the public issue tracker or discuss it in public as it will cause
+- Do not report any upstream dependency issues / scan result by any tools. It will be closed immediately without explanations. Unless you have PoC to prove that the upstream issue affected Uptime Kuma.
+- Do not use the public issue tracker or discuss it in public as it will cause
 more damage.
 
 ## Do you accept other 3rd-party bug bounty platforms?