diff --git a/core/modules/update/images/shield-icon.svg b/core/modules/update/images/shield-icon.svg
new file mode 100644
index 0000000..9a7c56d
--- /dev/null
+++ b/core/modules/update/images/shield-icon.svg
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<svg
+   xmlns:dc="http://purl.org/dc/elements/1.1/"
+   xmlns:cc="http://creativecommons.org/ns#"
+   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
+   xmlns:svg="http://www.w3.org/2000/svg"
+   xmlns="http://www.w3.org/2000/svg"
+   version="1.1"
+   id="svg4167"
+   viewBox="0 0 80.115432 91.337247"
+   height="25.777401mm"
+   width="22.610355mm">
+  <defs
+     id="defs4169" />
+  <metadata
+     id="metadata4172">
+    <rdf:RDF>
+      <cc:Work
+         rdf:about="">
+        <dc:format>image/svg+xml</dc:format>
+        <dc:type
+           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
+        <dc:title></dc:title>
+      </cc:Work>
+    </rdf:RDF>
+  </metadata>
+  <g
+     transform="translate(-214.228,-109.55072)"
+     id="layer1">
+    <path
+       style="fill:#333333;fill-rule:evenodd;stroke:#333333;stroke-width:9;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;fill-opacity:1"
+       d="m 255.57537,113.87618 -36.84737,10.57279 0,30.97814 c 0,14.98689 30.61298,40.99562 35.51197,40.96067 l 0.0915,0 c 5.00951,0.0349 35.51196,-25.97378 35.51196,-40.96067 l 0,-30.97814 c -12.25476,-3.52427 -24.50952,-7.04851 -36.76428,-10.57279"
+       id="path4206" />
+  </g>
+</svg>
diff --git a/core/modules/update/src/UpdateProcessor.php b/core/modules/update/src/UpdateProcessor.php
index 25dfc7a..9115357 100644
--- a/core/modules/update/src/UpdateProcessor.php
+++ b/core/modules/update/src/UpdateProcessor.php
@@ -231,6 +231,9 @@ protected function parseXml($raw_xml) {
         foreach ($release->children() as $k => $v) {
           $data['releases'][$version][$k] = (string) $v;
         }
+        if ($release->security['covered']) {
+          $data['releases'][$version]['security_covered'] = TRUE;
+        }
         $data['releases'][$version]['terms'] = [];
         if ($release->terms) {
           foreach ($release->terms->children() as $term) {
diff --git a/core/modules/update/tests/modules/update_test/bbb_update_test.1_0.xml b/core/modules/update/tests/modules/update_test/bbb_update_test.1_0.xml
index 8d705b5..2142c04 100644
--- a/core/modules/update/tests/modules/update_test/bbb_update_test.1_0.xml
+++ b/core/modules/update/tests/modules/update_test/bbb_update_test.1_0.xml
@@ -16,11 +16,11 @@
  <release>
   <name>bbb_update_test 8.x-1.0</name>
   <version>8.x-1.0</version>
-  <tag>DRUPAL-7--1-0</tag>
+  <tag>8.x-1.0</tag>
   <version_major>1</version_major>
   <version_patch>0</version_patch>
   <status>published</status>
-  <release_link>http://example.com/bbb_update_test-7-x-1-0-release</release_link>
+  <release_link>http://example.com/bbb_update_test-8-x-1-0-release</release_link>
   <download_link>http://example.com/bbb_update_test-8.x-1.0.tar.gz</download_link>
   <date>1250424521</date>
   <mdhash>b966255555d9c9b86d480ca08cfaa98e</mdhash>
@@ -29,6 +29,26 @@
    <term><name>Release type</name><value>New features</value></term>
    <term><name>Release type</name><value>Bug fixes</value></term>
   </terms>
+  <security covered="1"/>
+ </release>
+ <release>
+  <name>bbb_update_test 8.x-1.0-beta1</name>
+  <version>8.x-1.0-beta1</version>
+  <tag>8.x-1.0-beta1</tag>
+  <version_major>1</version_major>
+  <version_patch>0</version_patch>
+  <version_extra>beta1</version_extra>
+  <status>published</status>
+  <release_link>http://example.com/bbb_update_test-8-x-1-0-beta1</release_link>
+  <download_link>http://example.com/bbb_update_test-8.x-1.0-beta1.tar.gz</download_link>
+  <date>1250424521</date>
+  <mdhash>7da7b18ce17cef2122f5cbca1bfe626a</mdhash>
+  <filesize>1073751331</filesize>
+  <terms>
+   <term><name>Release type</name><value>New features</value></term>
+   <term><name>Release type</name><value>Bug fixes</value></term>
+  </terms>
+  <security>Not covered!</security>
  </release>
 </releases>
 </project>
diff --git a/core/modules/update/update.compare.inc b/core/modules/update/update.compare.inc
index 2ba5fdc..fff81b7 100644
--- a/core/modules/update/update.compare.inc
+++ b/core/modules/update/update.compare.inc
@@ -177,6 +177,14 @@ function update_calculate_project_update_status(&$project_data, $available) {
     }
   }
 
+  // For dev releases, existing_version looks like '8.4.0-dev', while
+  // updates.drupal.org provides '8.4.x-dev'.
+  $version_normalized = preg_replace('/0-dev$/', 'x-dev', $project_data['existing_version']);
+  if (isset($available['releases'][$version_normalized])) {
+    $project_data['security'] = $available['releases'][$version_normalized]['security'];
+    $project_data['security_covered'] = !empty($available['releases'][$version_normalized]['security_covered']);
+  }
+
   // If the project status is marked as something bad, there's nothing else
   // to consider.
   if (isset($available['project_status'])) {
diff --git a/core/modules/update/update.install b/core/modules/update/update.install
index c616412..74bfc5b 100644
--- a/core/modules/update/update.install
+++ b/core/modules/update/update.install
@@ -33,8 +33,27 @@ function update_requirements($phase) {
     if ($available = update_get_available(FALSE)) {
       module_load_include('inc', 'update', 'update.compare');
       $data = update_calculate_project_data($available);
-      // First, populate the requirements for core:
+
+      // Check if all projects have security advisory coverage.
+      $requirements['update_covered'] = [
+        'title' => t('Drupal.org security advisory coverage'),
+        'value' => t('All modules and themes from Drupal.org receive coverage.'),
+        'description' => t('Learn more about <a href="https://www.drupal.org/security-advisory-policy">Drupal.org security advisory coverage</a>.'),
+      ];
+      foreach ($data as $project) {
+        // 'security_covered' boolean makes a positive assertion of coverage.
+        // 'security' string confirms there is no coverage. Check both so
+        // non-www.drupal.org projects are not false positives.
+        if (!$project['security_covered'] && !empty($project['security'])) {
+          $requirements['update_covered']['value'] = \Drupal::l(t('Not all Drupal.org modules and themes receive security advisory coverage'), new Url('update.status'));
+          $requirements['update_covered']['severity'] = REQUIREMENT_WARNING;
+          break;
+        }
+      }
+
+      // Populate the requirements for core:
       $requirements['update_core'] = _update_requirement_check($data['drupal'], 'core');
+
       // We don't want to check drupal a second time.
       unset($data['drupal']);
       if (!empty($data)) {
diff --git a/core/modules/update/update.module b/core/modules/update/update.module
index 32b5b8c..d2a18bc 100644
--- a/core/modules/update/update.module
+++ b/core/modules/update/update.module
@@ -118,7 +118,17 @@ function update_help($route_name, RouteMatchInterface $route_match) {
       return $output;
 
     case 'update.status':
-      return '<p>' . t('Here you can find information about available updates for your installed modules and themes. Note that each module or theme is part of a "project", which may or may not have the same name, and might include multiple modules or themes within it.') . '</p>';
+      $icon = [
+        '#theme' => 'image',
+        '#width' => 18,
+        '#height' => 18,
+        '#uri' => 'core/modules/update/images/shield-icon.svg',
+        '#alt' => t('Shield'),
+        '#title' => t('Shield'),
+      ];
+      $output = '<p>' . t('Here you can find information about available updates for your installed modules and themes. Note that each module or theme is part of a "project", which may or may not have the same name, and might include multiple modules or themes within it.') . '</p>';
+      $output .= '<p>' . t('Modules and themes with a shield icon @icon are covered by the <a href="https://www.drupal.org/security-advisory-policy">Drupal Security Team’s advisory policy</a>. Vulnerabilities reported to the Security Team will be responsibly disclosed.', ['@icon' => \Drupal::service('renderer')->render($icon)]) . '</p>';
+      return $output;
 
     case 'system.modules_list':
       if (_update_manager_access()) {
diff --git a/core/modules/update/update.report.inc b/core/modules/update/update.report.inc
index 7b14a05..6f6f506 100644
--- a/core/modules/update/update.report.inc
+++ b/core/modules/update/update.report.inc
@@ -260,6 +260,35 @@ function template_preprocess_update_project_status(&$variables) {
   $variables['status']['attributes'] = new Attribute();
   $variables['status']['reason'] = (isset($project['reason'])) ? $project['reason'] : NULL;
 
+  if (isset($project['security'])) {
+    $variables['status']['security'] = $project['security'];
+  }
+  if ($project['security_covered']) {
+    // The update server confirms this release is covered for security
+    // announcements.
+    $variables['status']['security_icon'] = [
+      '#theme' => 'image',
+      '#width' => 18,
+      '#height' => 18,
+      '#uri' => 'core/modules/update/images/shield-icon.svg',
+      '#alt' => t('Shield'),
+      '#title' => t('Shield'),
+    ];
+  }
+  elseif (!empty($project['security'])) {
+    // The update server confirms this release is NOT covered for security
+    // announcements.
+    $variables['status']['security_icon'] = [
+      '#theme' => 'image',
+      '#width' => 18,
+      '#height' => 18,
+      '#uri' => 'core/misc/icons/e29700/warning.svg',
+      '#alt' => t('Warning'),
+      '#title' => t('Warning'),
+    ];
+    drupal_set_message(t('Your site uses modules and/or themes that are not subject to the <a href="https://www.drupal.org/security-advisory-policy">Drupal Security Team’s advisory policy</a>. When vulnerabilities are discovered, they may be disclosed publicly without a fix, and will not have security announcements.'), 'warning');
+  }
+
   switch ($project['status']) {
     case UPDATE_CURRENT:
       $uri = 'core/misc/icons/73b355/check.svg';
diff --git a/core/themes/stable/css/update/update.admin.theme.css b/core/themes/stable/css/update/update.admin.theme.css
index abf0a88..c3711f4 100644
--- a/core/themes/stable/css/update/update.admin.theme.css
+++ b/core/themes/stable/css/update/update.admin.theme.css
@@ -8,10 +8,12 @@
   font-size: 110%;
 }
 .project-update__status {
+  text-align: right; /* LTR */
   float: right; /* LTR */
   font-size: 110%;
 }
 [dir="rtl"] .project-update__status {
+  text-align: left;
   float: left;
 }
 .project-update__status--not-supported {
@@ -32,6 +34,9 @@
   padding-left: 0;
   padding-right: 0.5em;
 }
+.project-update__status-icon img {
+  vertical-align: top;
+}
 .project-update__details {
   padding: 1em 1em 0.25em 1em;
 }
diff --git a/core/themes/stable/templates/admin/update-project-status.html.twig b/core/themes/stable/templates/admin/update-project-status.html.twig
index 5a6d2ec..8a7b775 100644
--- a/core/themes/stable/templates/admin/update-project-status.html.twig
+++ b/core/themes/stable/templates/admin/update-project-status.html.twig
@@ -43,9 +43,15 @@
   <span class="project-update__status-icon">
     {{ status.icon }}
   </span>
+  <div class="project-update__status-security">
+    {{ status.security }}
+    <span class="project-update__status-icon">
+      {{ status.security_icon }}
+    </span>
+  </div>
 </div>
 
-<div class="project-update__title">
+<div class="project-update__title clearfix">
   {%- if url -%}
     <a href="{{ url }}">{{ title }}</a>
   {%- else -%}