Use direct language in the call to action.
Replace passive voice with more specific wording that the committer must
be the one to create the bugzilla issue for a CVE request.
Signed-off-by: Wayne Beaton <wayne.beaton@eclipse-foundation.org>
diff --git a/source/chapters/security.adoc b/source/chapters/security.adoc
index 68364f0..023e5a4 100644
--- a/source/chapters/security.adoc
+++ b/source/chapters/security.adoc
@@ -65,7 +65,7 @@
Whether or not a vulnerability requires a CVE is decided by the project team with assistance from their PMC (if required).
-To request a CVE Number assignment, the vulnerability must be captured in a Eclipse Bugzilla record. The project team can track work on a vulnerability elsewhere, but the vulnerability reporting is tracked via Bugzilla.
+To request a CVE Number assignment, the vulnerability must be captured in an Eclipse Bugzilla record. If a record for the vulnerability report does not already exist, a _project committer_ must {vulnerabilityReportUrl}[create one]. The project team can track work on a vulnerability elsewhere, but the vulnerability reporting is tracked via Bugzilla.
[TIP]
====
