diff --git a/SECURITY.md b/SECURITY.md
index b932e83b29b899..9650e812914f81 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -72,7 +72,9 @@ When reporting security vulnerabilities, reporters must adhere to the following
 
 3. **Responsible Testing**: When testing potential vulnerabilities:
    * Use isolated, controlled environments.
-   * Do not test on production systems.
+   * Do not test on production systems without prior authorization. Contact
+     the Node.js Technical Steering Committee (<tsc@iojs.org>) for permission or open
+     a HackerOne report.
    * Do not attempt to access or modify other users' data.
    * Immediately stop testing if unauthorized access is gained accidentally.