From 26fa8902286eb32374a40411c89a9eaab1e95893 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jonatan=20M=C3=A4nnchen?= <jonatan@maennchen.ch>
Date: Tue, 18 Mar 2025 11:07:48 +0000
Subject: [PATCH 1/2] Add CVE CHANGELOG disclosure requirement to `RELEASE.md`

Fulfills the release_notes_vulns OpenSSF Best
Practices Badge requirements.
---
 RELEASE.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/RELEASE.md b/RELEASE.md
index 76d0f945895..8138f2dc376 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -11,6 +11,15 @@
 1. Update version in /VERSION, bin/elixir, bin/elixir.bat, and bin/elixir.ps1
 
 2. Ensure /CHANGELOG.md is updated, versioned and add the current date
+   - If this release addresses any publicly known security vulnerabilities with
+     assigned CVEs, add a "Security" section to `CHANGELOG.md`.
+     - List all fixed vulnerabilities along with their CVE identifiers.
+     - If there are no known security vulnerabilities addressed in this release, this section may be omitted.
+   - For example:
+     ```md
+     ## Security
+     - Fixed CVE-2025-00000: Description of the vulnerability
+     ```
 
 3. Update "Compatibility and Deprecations" if a new OTP version is supported
 

From c8f5777bf7798470f446aa74ccfd4b39b7684409 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Valim?= <jose.valim@gmail.com>
Date: Tue, 18 Mar 2025 14:29:00 +0100
Subject: [PATCH 2/2] Update RELEASE.md

---
 RELEASE.md | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/RELEASE.md b/RELEASE.md
index 8138f2dc376..20fce539404 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -12,10 +12,7 @@
 
 2. Ensure /CHANGELOG.md is updated, versioned and add the current date
    - If this release addresses any publicly known security vulnerabilities with
-     assigned CVEs, add a "Security" section to `CHANGELOG.md`.
-     - List all fixed vulnerabilities along with their CVE identifiers.
-     - If there are no known security vulnerabilities addressed in this release, this section may be omitted.
-   - For example:
+     assigned CVEs, add a "Security" section to `CHANGELOG.md`. For example:
      ```md
      ## Security
      - Fixed CVE-2025-00000: Description of the vulnerability