diff --git a/CONTRIBUTE.md b/CONTRIBUTE.md
index b6eecdc24cd911285345c08238db797a18d9c454..a7bb67a16ae5f9a1a4e28e88c0337e0b54520e6b 100644
--- a/CONTRIBUTE.md
+++ b/CONTRIBUTE.md
@@ -93,7 +93,40 @@ You can help us diagnose and fix bugs by asking and providing answers to the fol
 * Are the steps to reproduce the bug clear? If not, can you describe how you might reproduce it?
 * What tags should the bug have?
 * How critical is this bug? Does it impact a large amount of users?
-* Is this a security issue? If so, how severe is it? How can an attacker exploit it?
+* Is this a security issue? If so, how severe is it? How can an attacker exploit it? Read more about security issues in
+the next section.
+
+## Reporting vulnerabilities
+
+In case you find a vulnerability in SimpleSAMLphp, or you want to confirm a possible security issue in the software, please
+get in touch with us through [UNINETT's CERT team](https://www.uninett.no/cert). Please use our PGP public key to encrypt
+any possible sensitive data that you may need to submit. We will get back to you as soon as possible according to our
+working hours in Central European Time.
+
+When reporting a security issue, please add as much information as possible to help us identify, confirm, replicate and
+fix the problem. In particular, remember to include the following information in your report:
+
+* The version or versions of SimpleSAMLphp affected.
+* An exact version that can be used to replicate the issue.
+* Any module or modules involved in the issue.
+* Any particular configuration details relevant to the setup affected.
+* A detailed description and a clear and concise, step-by-step guide to allow us reproduce the issue.
+* Screenshots, videos, or any other media that would help identify the issue.
+* Pointers to the exact line or lines in the code where the vulnerability is supposed to be.
+* Context on how you discovered the issue.
+* Your own name and whether you want to be credited for the discovery or not.
+
+Please **DO NOT** report security incidents related to systems that use SimpleSAMLphp, where this software is not the
+cause of the incident. Issues related to the use (or misuse) of infrastructure, misconfiguration of the software,
+malfunction of a particular system or user-related errors should not be reported either. If you are using SimpleSAMLphp
+to authenticate or login to services, but you don't know what SimpleSAMLphp is or you are not sure about the nature of
+the issue, please contact the organization running the service for you.
+
+Finally, be reasonable. We'll do our best to resolve the issue according to our principles of security and transparency.
+Every confirmed vulnerability will be published and resolved in a timely manner. All we ask in return is that you
+contact us privately first in order to avoid any potential damage to those using the software.
+
+You can find the list of security advisories we have published [here](https://simplesamlphp.org/security).
 
 ## Translations