diff --git a/SECURITY.md b/SECURITY.md
index 8a45d86049ee..24801b3b4e43 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -34,6 +34,8 @@ are not limited to):
 
 - `open_basedir` or `disable_functions` bypasses.
 
+- Malicious `unserialize()` inputs.
+
 # Vulnerability Policy
 
 Our full policy is described at