diff --git a/.github/workflows/cla.yml b/.github/workflows/cla.yml
index a6aa70a..982c17f 100644
--- a/.github/workflows/cla.yml
+++ b/.github/workflows/cla.yml
@@ -57,7 +57,7 @@ jobs:
 
             > I have read the CLA Document and I hereby sign the CLA
 
-            The CLA is a one-time agreement that covers every future contribution you make to any AxonOps open-source project. If you have questions before signing, please open a discussion or email `oss@axonops.com`.
+            The CLA is a one-time agreement that covers every future contribution you make to any AxonOps open-source project. If you have questions before signing, please open an issue on this repository.
           custom-pr-sign-comment: "I have read the CLA Document and I hereby sign the CLA"
           custom-allsigned-prcomment: "All contributors have signed the CLA. ✅"
           signed-commit-message: "chore(cla): $contributorName signed the CLA in #$pullRequestNo"
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 0f4924a..f40c5db 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -94,7 +94,7 @@ Releases happen exclusively through the [release workflow](./.github/workflows/r
 
 ## Reporting security issues
 
-Do **not** open a public issue for a suspected vulnerability. Email `oss@axonops.com`. See [`SECURITY.md`](./SECURITY.md) for the full disclosure process and response timeline.
+Do **not** open a public issue for a suspected vulnerability. Use GitHub's private advisory flow via the [Security tab](https://github.com/axonops/syncmap/security/advisories/new). See [`SECURITY.md`](./SECURITY.md) for the full disclosure process and response timeline.
 
 ## Licence
 
diff --git a/README.md b/README.md
index 38dbea5..a196317 100644
--- a/README.md
+++ b/README.md
@@ -168,7 +168,7 @@ See [`CONTRIBUTING.md`](./CONTRIBUTING.md) for the branching model, commit messa
 
 ## 🔐 Security
 
-Report suspected vulnerabilities privately to **oss@axonops.com**. Do not open a public issue. See [`SECURITY.md`](./SECURITY.md) for the full policy, supported-version table, and threat model.
+Do not open a public issue for a suspected vulnerability. Use GitHub's private advisory flow — [**Report a vulnerability**](https://github.com/axonops/syncmap/security/advisories/new) — which creates a private channel between you and the maintainers. See [`SECURITY.md`](./SECURITY.md) for the full policy, supported-version table, and threat model.
 
 ## 📜 Attribution
 
diff --git a/SECURITY.md b/SECURITY.md
index 6e07f50..6895e93 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -34,7 +34,13 @@ The `syncmap` library follows [Semantic Versioning](https://semver.org/spec/v2.0
 
 **Do not open a public issue for a suspected vulnerability.**
 
-Email **oss@axonops.com** with:
+Use GitHub's private vulnerability reporting:
+
+**[Report a vulnerability](https://github.com/axonops/syncmap/security/advisories/new)**
+
+GitHub creates a private advisory visible only to you and the maintainers. You can attach proof-of-concept code, crash reports, or `go test -race` output directly to the advisory, and the discussion stays private until a fix ships.
+
+When you file, please include:
 
 - A concise description of the issue.
 - Steps to reproduce, including the Go version and OS/architecture.
@@ -46,7 +52,7 @@ We will:
 - Acknowledge receipt within **3 business days**.
 - Share a mitigation plan within **14 business days**.
 - Coordinate an embargoed release with you if a fix requires a new tag.
-- Credit you in the release notes and in this repository's security advisories unless you request otherwise.
+- Credit you in the release notes and on the advisory unless you request otherwise.
 
 ## Dependency security
 
diff --git a/documentation_test.go b/documentation_test.go
index 187c368..66e8095 100644
--- a/documentation_test.go
+++ b/documentation_test.go
@@ -296,8 +296,8 @@ func TestGovernance_SecurityPolicyExists(t *testing.T) {
 	require.NoError(t, err, "SECURITY.md must exist at the repo root")
 
 	s := string(body)
-	assert.Contains(t, s, "oss@axonops.com",
-		"SECURITY.md must carry the AxonOps oss@axonops.com reporting contact")
+	assert.Contains(t, s, "security/advisories/new",
+		"SECURITY.md must link to GitHub's private-advisory reporting flow")
 	assert.Contains(t, s, "Supported versions",
 		"SECURITY.md must document supported versions")
 }
diff --git a/llms-full.txt b/llms-full.txt
index 98ac94b..3203a82 100644
--- a/llms-full.txt
+++ b/llms-full.txt
@@ -313,7 +313,7 @@ See [`CONTRIBUTING.md`](./CONTRIBUTING.md) for the branching model, commit messa
 
 ## 🔐 Security
 
-Report suspected vulnerabilities privately to **oss@axonops.com**. Do not open a public issue. See [`SECURITY.md`](./SECURITY.md) for the full policy, supported-version table, and threat model.
+Do not open a public issue for a suspected vulnerability. Use GitHub's private advisory flow — [**Report a vulnerability**](https://github.com/axonops/syncmap/security/advisories/new) — which creates a private channel between you and the maintainers. See [`SECURITY.md`](./SECURITY.md) for the full policy, supported-version table, and threat model.
 
 ## 📜 Attribution
 
@@ -504,7 +504,7 @@ Releases happen exclusively through the [release workflow](./.github/workflows/r
 
 ## Reporting security issues
 
-Do **not** open a public issue for a suspected vulnerability. Email `oss@axonops.com`. See [`SECURITY.md`](./SECURITY.md) for the full disclosure process and response timeline.
+Do **not** open a public issue for a suspected vulnerability. Use GitHub's private advisory flow via the [Security tab](https://github.com/axonops/syncmap/security/advisories/new). See [`SECURITY.md`](./SECURITY.md) for the full disclosure process and response timeline.
 
 ## Licence
 
@@ -550,7 +550,13 @@ The `syncmap` library follows [Semantic Versioning](https://semver.org/spec/v2.0
 
 **Do not open a public issue for a suspected vulnerability.**
 
-Email **oss@axonops.com** with:
+Use GitHub's private vulnerability reporting:
+
+**[Report a vulnerability](https://github.com/axonops/syncmap/security/advisories/new)**
+
+GitHub creates a private advisory visible only to you and the maintainers. You can attach proof-of-concept code, crash reports, or `go test -race` output directly to the advisory, and the discussion stays private until a fix ships.
+
+When you file, please include:
 
 - A concise description of the issue.
 - Steps to reproduce, including the Go version and OS/architecture.
@@ -562,7 +568,7 @@ We will:
 - Acknowledge receipt within **3 business days**.
 - Share a mitigation plan within **14 business days**.
 - Coordinate an embargoed release with you if a fix requires a new tag.
-- Credit you in the release notes and in this repository's security advisories unless you request otherwise.
+- Credit you in the release notes and on the advisory unless you request otherwise.
 
 ## Dependency security