diff --git a/core/modules/update/src/ProjectSecurityData.php b/core/modules/update/src/ProjectSecurityData.php
index 171b130..9cc0e7f 100644
--- a/core/modules/update/src/ProjectSecurityData.php
+++ b/core/modules/update/src/ProjectSecurityData.php
@@ -148,6 +148,10 @@ public function getCoverageInfo() {
    *    what the final minor release of a particular major version will be. This
    *    method should not return a version beyond that minor.
    *
+   * @todo In https://www.drupal.org/node/2998285 determine if we want this
+   *    policy to be expressed in the updates.drupal.org feed, instead of relying
+   *    on a hard-coded constant (self::CORE_MINORS_WITH_SECURITY_COVERAGE).
+   *
    * @return string|null
    *   The version the existing version will receive security coverage until or
    *   NULL if this cannot be determined.
@@ -165,7 +169,31 @@ private function getSecurityCoverageUntilVersion() {
   }
 
   /**
-   * Gets the number of additional minor security covered releases.
+   * Gets the number of additional minor releases with security coverage.
+   *
+   * This function compares the currently installed (existing) version of
+   * the project with two things:
+   * - The latest available official release of that project.
+   * - The target minor release where security coverage for the current release
+   *   should expire. This target release is determined by
+   *   static::getSecurityCoverageUntilVersion().
+   *
+   * The Drupal Security Team policy is currently to provide security coverage
+   * for 2 minor release cycles. Some examples of how this function behaves:
+   *
+   * If the currently installed version of Drupal is 8.7.11, it should be
+   * supported until the 8.9.0 release is published. If the latest official
+   * release of core is 8.8.2, there's one more minor version to go before
+   * coverage expires for 8.7.x, so this function will return 1. Once 8.9.0 is
+   * released, this function will return 0 on a site still running 8.7.11 to
+   * indicate that security coverage has expired.
+   *
+   * If the currently installed version is 9.0.0, and there is no 9.1.0 release
+   * yet, the function would return 2. Once 9.1.0 is out, it would return 1.
+   * When 9.2.0 is released, it would again return 0.
+   *
+   * Note: callers should not test the return value of this function with empty()
+   * since 0 is a valid return value that has different meaning than NULL.
    *
    * @param string $security_covered_version
    *   The version until which the existing version receives security coverage.
@@ -173,6 +201,8 @@ private function getSecurityCoverageUntilVersion() {
    * @return int|null
    *   The number of additional minor releases that receive security coverage,
    *   or NULL if this cannot be determined.
+   *
+   * @see static::getSecurityCoverageUntilVersion()
    */
   private function getAdditionalSecurityCoveredMinors($security_covered_version) {
     $security_covered_version_major = ModuleVersion::createFromVersionString($security_covered_version)->getMajorVersion();
@@ -181,17 +211,16 @@ private function getAdditionalSecurityCoveredMinors($security_covered_version) {
       $release_version = ModuleVersion::createFromVersionString($release['version']);
       if ($release_version->getMajorVersion() === $security_covered_version_major && $release['status'] === 'published' && !$release_version->getVersionExtra()) {
         // The releases are ordered with the most recent releases first.
-        // Therefore if we have found an official, published release with the
-        // same major version as $security_covered_version then this release
+        // Therefore, if we have found a published official release with the
+        // same major version as $security_covered_version, then this release
         // can be used to determine the latest minor.
         $latest_minor = $this->getSemanticMinorVersion($release['version']);
         break;
       }
     }
-    // If $latest_minor is set, we know that $latest_minor and
-    // $security_covered_version_minor have the same major version. Therefore we
-    // can simply subtract to determine the number of additional minor security
-    // covered releases.
+    // If $latest_minor is set, we know that $security_covered_version_minor and
+    // $latest_minor have the same major version. Therefore, we can subtract to
+    // determine the number of additional minor security covered releases.
     return isset($latest_minor) ? $security_covered_version_minor - $latest_minor : NULL;
   }