diff --git a/core/modules/update/src/ProjectSecurityData.php b/core/modules/update/src/ProjectSecurityData.php
index e86a5845c26..45068978fac 100644
--- a/core/modules/update/src/ProjectSecurityData.php
+++ b/core/modules/update/src/ProjectSecurityData.php
@@ -17,6 +17,12 @@ final class ProjectSecurityData {
    * For example, if this value is 2 and the existing version is 9.0.1, the
    * 9.0.x branch will receive security coverage until the release of version
    * 9.2.0.
+   *
+   * @todo In https://www.drupal.org/node/2998285 determine if we want this
+   *   policy to be expressed in the updates.drupal.org feed, instead of relying
+   *   on a hard-coded constant.
+   *
+   * @see https://www.drupal.org/core/release-cycle-overview
    */
   const CORE_MINORS_WITH_SECURITY_COVERAGE = 2;
 
@@ -144,6 +150,12 @@ final class ProjectSecurityData {
   /**
    * Gets the release the current minor will receive security coverage until.
    *
+   * For the sake of example, assume that the currently installed version of
+   * Drupal is 8.7.11 and that static::CORE_MINORS_WITH_SECURITY_COVERAGE is 2.
+   * When Drupal 8.9.0 is released, the supported minor versions will be 8.8
+   * and 8.9. At that point, Drupal 8.7 will no longer have security
+   * coverage. Therefore, this function would return "8.9.0".
+   *
    * @todo In https://www.drupal.org/node/2998285 determine how we will know
    *    what the final minor release of a particular major version will be. This
    *    method should not return a version beyond that minor.
@@ -165,7 +177,33 @@ final class ProjectSecurityData {
   }
 
   /**
-   * Gets the number of additional minor security covered releases.
+   * Gets the number of additional minor releases with security coverage.
+   *
+   * This function compares the currently installed (existing) version of
+   * the project with two things:
+   * - The latest available official release of that project.
+   * - The target minor release where security coverage for the current release
+   *   should expire. This target release is determined by
+   *   getSecurityCoverageUntilVersion().
+   *
+   * For the sake of example, assume that the currently installed version of
+   * Drupal is 8.7.11 and that static::CORE_MINORS_WITH_SECURITY_COVERAGE is 2.
+   *
+   * Before the release of Drupal 8.8.0, this function would return 2.
+   *
+   * After the release of Drupal 8.8.0 and before the release of 8.9.0, this
+   * function would return 1 to indicate that the next minor version release
+   * will end security coverage for 8.7.
+   *
+   * When Drupal 8.9.0 is released, this function would return 0 to indicate
+   * that security coverage is over for 8.7.
+   *
+   * If the currently installed version is 9.0.0, and there is no 9.1.0 release
+   * yet, the function would return 2. Once 9.1.0 is out, it would return 1.
+   * When 9.2.0 is released, it would again return 0.
+   *
+   * Note: callers should not test this function's return value with empty()
+   * since 0 is a valid return value that has different meaning than NULL.
    *
    * @param string $security_covered_version
    *   The version until which the existing version receives security coverage.
@@ -173,6 +211,8 @@ final class ProjectSecurityData {
    * @return int|null
    *   The number of additional minor releases that receive security coverage,
    *   or NULL if this cannot be determined.
+   *
+   * @see \Drupal\update\ProjectSecurityData\getSecurityCoverageUntilVersion()
    */
   private function getAdditionalSecurityCoveredMinors($security_covered_version) {
     $security_covered_version_major = ModuleVersion::createFromVersionString($security_covered_version)->getMajorVersion();
@@ -181,17 +221,16 @@ final class ProjectSecurityData {
       $release_version = ModuleVersion::createFromVersionString($release['version']);
       if ($release_version->getMajorVersion() === $security_covered_version_major && $release['status'] === 'published' && !$release_version->getVersionExtra()) {
         // The releases are ordered with the most recent releases first.
-        // Therefore if we have found an official, published release with the
-        // same major version as $security_covered_version then this release
+        // Therefore, if we have found a published, official release with the
+        // same major version as $security_covered_version, then this release
         // can be used to determine the latest minor.
         $latest_minor = $this->getSemanticMinorVersion($release['version']);
         break;
       }
     }
-    // If $latest_minor is set, we know that $latest_minor and
-    // $security_covered_version_minor have the same major version. Therefore we
-    // can simply subtract to determine the number of additional minor security
-    // covered releases.
+    // If $latest_minor is set, we know that $security_covered_version_minor and
+    // $latest_minor have the same major version. Therefore, we can subtract to
+    // determine the number of additional minor releases with security coverage.
     return isset($latest_minor) ? $security_covered_version_minor - $latest_minor : NULL;
   }