diff --git a/docs/usage/self-hosted-configuration.md b/docs/usage/self-hosted-configuration.md
index 7b2bbd01ad6e75fa6f883d56b88c3372bf98df0e..931d24e8ccc6cc85fa59bf838af5e5aaa8dfe578 100644
--- a/docs/usage/self-hosted-configuration.md
+++ b/docs/usage/self-hosted-configuration.md
@@ -192,10 +192,11 @@ e.g.
 
 ## exposeAllEnv
 
-By default, Renovate will only pass a limited set of environment variables to package managers.
-Potentially, there could be leaks of confidential data if a script you don't trust enumerates all values in env, so set this to true only if you trust the repositories which the bot runs against.
+By default, Renovate only passes a limited set of environment variables to package managers.
+Confidential data can be leaked if a malicious script enumerates all environment variables.
+Set `exposeAllEnv` to `true` only if you have reviewed (and trust) the repositories which Renovate bot runs against.
 
-Setting this to true will also allow for variable substitution in `.npmrc` files.
+Setting this to `true` will also allow for variable substitution in `.npmrc` files.
 
 ## force