diff --git a/general/security/developer.md b/general/security/developer.md
index d85480b66b59d997f745b5d465fffa0226e6e7a3..33d2be9b50514d3ba10a3ffb3230eea41b50edd0 100644
--- a/general/security/developer.md
+++ b/general/security/developer.md
@@ -20,7 +20,9 @@ the vulnerability. In this case, it should be a confidential issue on
 [gitlab.com].
 
 Once a security issue is assigned to a developer, we follow the same merge
-request and code review process as any other change, but on [dev.gitlab.org].
+request and code review process as any other change, but on [dev.gitlab.org]. 
+Create a merge request on `dev.gitlab.org` using the `Security Release` template
+and follow the directions given there.
 All security fixes are released for [at least three monthly releases], and you
 will be responsible for creating backports as well.
 
@@ -39,7 +41,7 @@ post-deployment patch process.
   disclosure.
 - [Create a new issue on org](https://dev.gitlab.org/gitlab/gitlabhq/issues/new?issuable_template=Security+developer+workflow) using the [Security Developer Workflow] template.
 - Security vulnerabilities that exist in **both** CE and EE should be fixed in
-  the [CE project on org](https://dev.gitlab.org/gitlab/gitlabhq).
+  the [CE project on org](https://dev.gitlab.org/gitlab/gitlabhq) **and** there needs to be a corresponding MR in EE.
 - Security vulnerabilities that exist only in EE should be fixed in the [EE
   project on org](https://dev.gitlab.org/gitlab/gitlab-ee).
 - Security vulnerabilities that exist in Omnibus should be fixed in the [Omnibus