diff --git a/.github/ISSUE_TEMPLATE/bypass-report.yml b/.github/ISSUE_TEMPLATE/bypass-report.yml
index 43a9b79..1729bad 100644
--- a/.github/ISSUE_TEMPLATE/bypass-report.yml
+++ b/.github/ISSUE_TEMPLATE/bypass-report.yml
@@ -7,9 +7,10 @@ body:
     attributes:
       value: |
         ⚠️ **Stop if this is weaponizable.** A working, reproducible bypass that
-        students could copy is a security vulnerability — **report it privately**
-        via the repo's **Security → Report a vulnerability** tab, not here. See
-        [SECURITY.md](../blob/main/SECURITY.md).
+        students could copy is a security vulnerability — **report it privately**:
+        [open a security advisory](https://github.com/Babyhamsta/Fenceline/security/advisories/new),
+        not a public issue. See
+        [SECURITY.md](https://github.com/Babyhamsta/Fenceline/blob/main/SECURITY.md).
 
         Use this public form only for a bypass *class* or behaviour you can
         describe without handing out a working recipe (e.g. "proxies using
diff --git a/SECURITY.md b/SECURITY.md
index 51cf334..b321493 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -14,8 +14,9 @@ on the current version before reporting.
 **Report privately. Do not open a public issue for a working bypass or any
 weaponizable finding.**
 
-Use GitHub's **private vulnerability reporting**: the repo's **Security** tab →
-**Report a vulnerability**. Include:
+Use GitHub's **private vulnerability reporting**:
+**[Report a vulnerability](https://github.com/Babyhamsta/Fenceline/security/advisories/new)**
+(or the repo's **Security** tab → **Report a vulnerability**). Include:
 
 - what you did (steps to reproduce), the URL/technique, and the version,
 - what you expected vs. what happened (e.g. a blocked category loaded),