diff --git a/README.md b/README.md
index 33e9b91e42..25bd630fa2 100644
--- a/README.md
+++ b/README.md
@@ -207,6 +207,13 @@ patched_versions:
 # General Contributing Guidelines
  * Advisory filename prefix naming preferance is:
    * 1st choice: CVE, then GHSA, then OSVDB.
+     - For post-2016 advisories, use only "published" CVEs which are
+       found at one of these web sites:
+       - https://nvd.nist.gov/vuln/search
+       - https://www.cve.org/CVERecord
+       - https://www.cvedetails.com/index.php
+       - https://cve.report
+     This CVE can be used in the primary "url:", "cve:", and "related:"/"url:" fields.
    * Advisory filename (without suffix) should be equal to root `url:` field value.
  * Try to keep all text within 80 columns.
  * Run yamlint [`yamllint` tool](https://yamllint.readthedocs.io/en/stable/quickstart.html] to check yaml format. It find no issues.