diff --git a/index.html b/index.html
index 81ee858..dd8914a 100755
--- a/index.html
+++ b/index.html
@@ -557,7 +557,8 @@ <h2>
       </h2>
       <p>
         No new security considerations have been reported on this
-        specification.
+        specification. However it is encouraged to look at the
+        potential [[[#privacy-considerations]]] listed in this document.
       </p>
     </section>
     <section>
@@ -603,6 +604,18 @@ <h4>
           as mentioned in [[[#identifying-users-across-contexts]]]. The same
           mitigations apply.
         </p>
+        <h4>
+          Malicious script injection (for advertising or exploitation)
+        </h4>
+        <p>
+          Through iframes, a malicious actor could inject its own code to
+          access the posture information and potentially use it to track users.
+        </p>
+        <p>
+          This theoretical attack is mitigated by [[[#data-minimization]]]
+          as well as the fact that the posture value itself carry little
+          valuable information and stays stable for long period of time.
+        </p>
       </section>
       <section>
         <h3>