diff --git a/README.md b/README.md
index 5ab2cb6f1..8d3e50a64 100644
--- a/README.md
+++ b/README.md
@@ -150,4 +150,4 @@ The [Node.js Moderation Policy](https://github.com/nodejs/admin/blob/master/Mode
 
 [Node.js TSC]: https://github.com/nodejs/TSC
 [Ecosystem Triage Team]: processes/third_party_vuln_process.md#members
-[Node.js Triage Team]: https://github.com/nodejs/node/blob/master/SECURITY.md#triage-team
+[Node.js Triage Team]: processes/security_team_members.md#team-that-triages-security-reports-against-node-core
diff --git a/processes/security_team_members.md b/processes/security_team_members.md
index fa33d86a4..802954301 100644
--- a/processes/security_team_members.md
+++ b/processes/security_team_members.md
@@ -13,16 +13,23 @@ and must be approved by current team members.
 Members of the security teams should indicate that they accept the privacy
 policies by PRing their acceptance to this file.
 
-## Team that triages security reports against node core
+## Team that triages security reports against Node.js
 
-- @cjihrig - **Colin Ihrig**
-- @indutny - **Fedor Indutny**
-- @jasnell - **James M Snell**
-- @mcollina - **Matteo Colina**
-- @mhdawson - **Michael Dawson**
-- @MylesBorins - **Myles Borins**
-- @rvagg - **Rod Vagg**
-- @vdeturckheim - **Vladimir de Turckheim**
+TODO sync with nodejs-private/triage=team, nodejs/triage-team
+
+The [TSC](https://github.com/nodejs/node#tsc-technical-steering-committee)
+are all members of the Triage Team.
+
+These non-TSC and TSC Emeriti are Triage Team members:
+* [indutny](https://github.com/indutny) -
+**Fedor Indutny** &lt;fedor.indutny@gmail.com&gt;
+* [rvagg](https://github.com/rvagg) -
+**Rod Vagg** &lt;rod@vagg.org&gt;
+- [vdeturckheim](https://github.com/vdeturckheim) -
+**Vladimir de Turckheim** &lt;vladimir@sqreen.io &gt;
+
+List is from the [member page](https://hackerone.com/nodejs/team_members) for
+the Node.js program on HackerOne.
 
 ### Emeritus
 
@@ -30,10 +37,11 @@ policies by PRing their acceptance to this file.
 - @jasnell - **James M Snell**
 - @shigeki - **Shigeki Ohtsu**
 
-List is from ["security" alias](https://github.com/nodejs/email/blob/master/iojs.org/aliases.json).
 
 ## Team with access to security issues
 
+XXX Unclear what meaning of this is now that we use H1. Almost certainly not up to date.
+
 - @ChALkeR - **Сковорода Никита Андреевич**
 - @Fishrock123 - **Jeremiah Senkpiel**
 - @MylesBorins - **Myles Borins**
@@ -64,6 +72,8 @@ List is from ["security" alias](https://github.com/nodejs/email/blob/master/iojs
 
 List is from [nodejs/teams/security](https://github.com/orgs/nodejs/teams/security/members).
 
+XXX Why isn't the list from nodejs-private/teams/security? That's the actual one.  Or maybe they are supposed to be synced.
+
 ## Team with access to private security patches
 
 - @addaleax     Anna Henningsen
@@ -98,3 +108,5 @@ who have access to
 
 Every member of the team with access to security issues should have access to
 the private security patches as well.
+
+XXX ... But they don't, and if they did, we wouldn't have to put the list in twice.