diff --git a/README.md b/README.md
index 7d332bf..ad0ee20 100644
--- a/README.md
+++ b/README.md
@@ -2,14 +2,14 @@
 
 Minimal Go HTTP service used by the RHADS supply-chain demo.
 
-## The deliberate CVE
+## Demo CVE
 
 `go.mod` pins `github.com/dgrijalva/jwt-go v3.2.0+incompatible`, which has a
 documented vulnerability (CVE-2020-26160 — `alg=none` not rejected). The
 `/verify` handler actually calls into this library, so SBOM scanners pick the
 dependency up as in-use and RHTPA flags it.
 
-## Fixing the CVE (the "patch" act)
+## Fixing the CVE
 
 1. `go get github.com/golang-jwt/jwt/v5`
 2. `go mod tidy`