diff --git a/ee/app/policies/vulnerabilities/feedback_policy.rb b/ee/app/policies/vulnerabilities/feedback_policy.rb
index 6f025ea1bd90c1fb4c77f446ae40a8bfb26688f0..bd2d30039698b71c3aaaba0f53aa9181cd5f2aad 100644
--- a/ee/app/policies/vulnerabilities/feedback_policy.rb
+++ b/ee/app/policies/vulnerabilities/feedback_policy.rb
@@ -11,8 +11,7 @@ class FeedbackPolicy < BasePolicy
     rule { issue & ~can?(:create_issue) }.prevent :create_vulnerability_feedback
 
     rule do
-      merge_request &
-        (~can?(:create_merge_request_in) | ~can?(:create_merge_request_from))
+      merge_request & ~can?(:create_merge_request_in)
     end.prevent :create_vulnerability_feedback
 
     rule { ~dismissal }.prevent :destroy_vulnerability_feedback, :update_vulnerability_feedback
diff --git a/ee/spec/policies/vulnerabilities/feedback_policy_spec.rb b/ee/spec/policies/vulnerabilities/feedback_policy_spec.rb
index d8708223a8b1d9d5e49b62a9eb66fee5ea80de89..dc3ee62fdc4e7daeb401a29f0635004a741bdc61 100644
--- a/ee/spec/policies/vulnerabilities/feedback_policy_spec.rb
+++ b/ee/spec/policies/vulnerabilities/feedback_policy_spec.rb
@@ -56,8 +56,8 @@
         end
       end
 
-      context 'when user does not have permission to create merge_request from project' do
-        # guest can create merge request IN but not FROM
+      context 'when user does not have developer permission' do
+        # guest can create merge request IN
         let(:guest) { create(:user) }
 
         subject { described_class.new(guest, vulnerability_feedback) }
@@ -68,7 +68,6 @@
 
         it 'does not allow to create merge request feedback' do
           is_expected.to be_allowed(:create_merge_request_in)
-          is_expected.to be_disallowed(:create_merge_request_from)
           is_expected.to be_disallowed(:create_vulnerability_feedback)
         end
       end