diff --git a/RELEASE.md b/RELEASE.md
index b5290599887..221d2d5a77e 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -6,6 +6,7 @@
   - [1.1. Issues](#issues)
   - [1.2. Backport Commits](#backport-commits)
   - [1.3. Windows Dependencies](#windows-dependencies)
+  - [1.4. Harden TLS Defaults](#harden-tls)
 - [2. Version](#version)
 - [3. Changelog](#changelog)
 - [4. Git Tag](#git-tag)
@@ -108,6 +109,20 @@ There may be new build versions of other dependencies (VS, MSVC).
 Our GitHub actions (tests) use the latest ones automatically,
 but the GitLab runner (release packages) doesn't.
 
+### Harden TLS Defaults <a id="harden-tls"></a>
+
+For major versions evaluate how far the global TLS defaults
+can be raised without violating the following requirements:
+
+* Icinga `2.x.y` must be able to communicate with version `2.{x-1}.0` by default
+* Icinga `2.x.y` should be able to communicate with even older versions,
+  at least after overriding the defaults of the newest version - the easier,
+  the better (the larger the version gap, the more configuration is OK)
+* The latest `.0` version of Icinga (DB) Web must be able
+  to communicate with the Icinga 2 API by default
+* Other Icinga 2 API clients shall not break as well,
+  consult https://ssl-config.mozilla.org
+
 
 ## Version <a id="version"></a>