diff --git a/docs/internals/howto-release-django.txt b/docs/internals/howto-release-django.txt
index deee3b614ca..d201f60d8ea 100644
--- a/docs/internals/howto-release-django.txt
+++ b/docs/internals/howto-release-django.txt
@@ -357,8 +357,13 @@ Now you're ready to actually put the release out there. To do this:
 
 #. Post the release announcement to the |django-announce|, |django-developers|,
    and |django-users| mailing lists. This should include a link to the
-   announcement blog post. If this is a security release, also include
-   oss-security@lists.openwall.com.
+   announcement blog post.
+
+#. If this is a security release, send a separate email to
+   oss-security@lists.openwall.com. Provide a descriptive subject, for example,
+   "Django" plus the issue title from the release notes (including CVE ID). The
+   message body should include the vulnerability details, for example, the
+   announcement blog post text. Include a link to the announcement blog post.
 
 #. Add a link to the blog post in the topic of the `#django` IRC channel:
    ``/msg chanserv TOPIC #django new topic goes here``.