From 1c11688b5624394c3792d1bb37599fd1e3452c9c Mon Sep 17 00:00:00 2001
From: Gannon McGibbon <gannon.mcgibbon@gmail.com>
Date: Tue, 6 Nov 2018 14:17:23 -0500
Subject: Add CVE note to security guide and gemspecs

[ci skip]
---
 guides/source/security.md | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'guides')

diff --git a/guides/source/security.md b/guides/source/security.md
index bb996cc39c..66b922ea35 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -1235,6 +1235,11 @@ version:
 Rails.application.credentials.some_api_key! # => raises KeyError: :some_api_key is blank
 ```
 
+Dependency Management and CVEs
+------------------------------
+
+Please note that we do not accept patches for CVE version bumps. This is because application owners need to manually update their gems regardless of our efforts. Use `bundle update --conservative gem_name` to safely update vulnerable dependencies.
+
 Additional Resources
 --------------------
 
-- 
cgit v1.2.3