diff --git a/static/releases.html b/static/releases.html
index bd1740f9..3ae52ef8 100644
--- a/static/releases.html
+++ b/static/releases.html
@@ -42,6 +42,12 @@
             but may be in the future once they're being used more consistently. Update packages
             are not for performing the initial installation and you should ignore incorrect guides
             trying to use them to install the OS.</p>
+            <p>The update packages have a internal signature verified by the update client (or
+            recovery image when sideloading). Downgrade attacks are also prevented, and downgrades
+            cannot be done unless a special downgrade update package has been signed with the
+            release key. The internal payload for `update_engine` is also signed, providing
+            another layer of signature verification and downgrade protection. Verified boot and
+            the hardware-backed keystore also act as a final layer of protection.</p>
             <p>Releases are tested by the developers and are then pushed out via the Beta channel.
             The release is then pushed out via the Stable channel after being tested by some users
             using the Beta channel. In some cases, problems are caught during Beta channel testing