From 9dcfb9e2d53d9b299c568381bcc36d14da8032da Mon Sep 17 00:00:00 2001
From: Michael Dawson <mdawson@devrus.com>
Date: Tue, 8 Nov 2022 14:57:39 -0500
Subject: [PATCH] doc: allow for holidays in triage response (#45267)

Signed-off-by: Michael Dawson <mdawson@devrus.com>

Signed-off-by: Michael Dawson <mdawson@devrus.com>
---
 SECURITY.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 57943ce969e20b..34740622bf543f 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,9 +4,11 @@
 
 Report security bugs in Node.js via [HackerOne](https://hackerone.com/nodejs).
 
-Your report will be acknowledged within 5 days, and you'll receive a more
-detailed response to your report within 10 days indicating the next steps in
-handling your submission.
+Normally your report will be acknowledged within 5 days, and you'll receive
+a more detailed response to your report within 10 days indicating the
+next steps in handling your submission. These timelines may extend when
+our triage volunteers are away on holiday, particularly at the end of the
+year.
 
 After the initial reply to your report, the security team will endeavor to keep
 you informed of the progress being made towards a fix and full announcement,