diff --git a/csaf_2.1/prose/edit/src/distributing.md b/csaf_2.1/prose/edit/src/distributing.md
index 954498e5..6846e9a0 100644
--- a/csaf_2.1/prose/edit/src/distributing.md
+++ b/csaf_2.1/prose/edit/src/distributing.md
@@ -50,6 +50,8 @@ Redirects SHOULD NOT be used. If they are inevitable only HTTP Header redirects
 
 > Reasoning: Clients should not parse the payload for navigation and some, as e.g. `curl`, do not follow any other kind of redirects.
 
+If any redirects are used, there SHOULD not be more than 5 and MUST NOT be more than 10 consecutive redirects.
+
 ### Requirement 7: provider-metadata.json
 
 The party MUST provide a valid `provider-metadata.json` according to the schema