From 281a3465fb9d7164e90d620e2d31998830e6a8f5 Mon Sep 17 00:00:00 2001
From: Martijn Govers <Martijn.Govers@Alliander.com>
Date: Wed, 7 Jan 2026 13:50:20 +0100
Subject: [PATCH 1/6] crosslink security policy with our assurance case in
 advanced terminology

Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com>
---
 SECURITY.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 0e7e358..3006dbf 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -22,4 +22,8 @@ In addition, Python libraries in this project are only released for [recent Pyth
 
 This project is a calculation library without network connection or authentications.
 There could be however vulnerabilities in the form of (C++) bugs.
+Please refer to our assurance case regarding
+[different types of bugs and vulnerabilities](https://power-grid-model.readthedocs.io/en/stable/advanced_documentation/terminology.html#bug)
+and [undefined behavior](https://power-grid-model.readthedocs.io/en/stable/advanced_documentation/terminology.html#undefined-behavior),
+as well as the respective trust boundaries.
 You can report the vulnerabilities in the issues as a bug.

From 5ebefcccfa757eb173f182dc915dd786a052b2a1 Mon Sep 17 00:00:00 2001
From: Martijn Govers <Martijn.Govers@Alliander.com>
Date: Wed, 7 Jan 2026 14:07:56 +0100
Subject: [PATCH 2/6] also add a separate section for PGM-IO

Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com>
---
 SECURITY.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index 3006dbf..52d0c56 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -20,6 +20,14 @@ In addition, Python libraries in this project are only released for [recent Pyth
 
 ## Reporting a Vulnerability
 
+This project contains multiple repositories, each with different responsibilities, and therefore also different risks
+regarding vulnerabilities.
+You can report the vulnerabilities in the issues as a bug.
+
+### power-grid-model
+
+[![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7298/badge)](https://bestpractices.coreinfrastructure.org/projects/7298)
+
 This project is a calculation library without network connection or authentications.
 There could be however vulnerabilities in the form of (C++) bugs.
 Please refer to our assurance case regarding
@@ -27,3 +35,17 @@ Please refer to our assurance case regarding
 and [undefined behavior](https://power-grid-model.readthedocs.io/en/stable/advanced_documentation/terminology.html#undefined-behavior),
 as well as the respective trust boundaries.
 You can report the vulnerabilities in the issues as a bug.
+
+### power-grid-model-ds
+
+TBD
+
+### power-grid-model-io
+
+This project contains user configuration in the form of custom mappings and filters via a YAML file.
+To prevent code injection during loading, `yaml.safe_load` is used.
+In addition, only execution of specific white-listed functions and modules is allowed.
+Please refer to the relevant
+[security considerations](https://power-grid-model-io.readthedocs.io/en/stable/converters/tabular_converter.html#security-considerations)
+for more information.
+You can report the vulnerabilities in the issues as a bug.

From f280a54f4fefc0848c325508895dda7b43ba8262 Mon Sep 17 00:00:00 2001
From: Martijn Govers <Martijn.Govers@Alliander.com>
Date: Thu, 8 Jan 2026 15:37:14 +0100
Subject: [PATCH 3/6] assurance case for PGM-DS

Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com>
---
 SECURITY.md | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 52d0c56..518d6be 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -28,8 +28,9 @@ You can report the vulnerabilities in the issues as a bug.
 
 [![OpenSSF Best Practices](https://bestpractices.coreinfrastructure.org/projects/7298/badge)](https://bestpractices.coreinfrastructure.org/projects/7298)
 
-This project is a calculation library without network connection or authentications.
-There could be however vulnerabilities in the form of (C++) bugs.
+[`power-grid-model`](https://github.com/PowerGridModel/power-grid-model) is a calculation library without network
+connection or authentications.
+It is, however, possible that there are vulnerabilities in the form of (C++) bugs.
 Please refer to our assurance case regarding
 [different types of bugs and vulnerabilities](https://power-grid-model.readthedocs.io/en/stable/advanced_documentation/terminology.html#bug)
 and [undefined behavior](https://power-grid-model.readthedocs.io/en/stable/advanced_documentation/terminology.html#undefined-behavior),
@@ -38,11 +39,16 @@ You can report the vulnerabilities in the issues as a bug.
 
 ### power-grid-model-ds
 
-TBD
+[`power-grid-model-ds`](https://github.com/PowerGridModel/power-grid-model-ds) is a data science library that processes
+datasets and configuration that may be user-provided.
+Treat all external inputs as untrusted, validate formats/schemas where possible, and avoid unsafe deserialization
+(e.g. `pickle`) for untrusted files.
+If the visualizer is installed and used, note that it runs a local web server and opens a TCP port.
 
 ### power-grid-model-io
 
-This project contains user configuration in the form of custom mappings and filters via a YAML file.
+[`power-grid-model-io`](https://github.com/PowerGridModel/power-grid-model-io) is a data conversion library and user
+configuration in the form of custom mappings and filters via a YAML file.
 To prevent code injection during loading, `yaml.safe_load` is used.
 In addition, only execution of specific white-listed functions and modules is allowed.
 Please refer to the relevant

From 656ac63ea0cb6023fd2430c6299ffa295b969df4 Mon Sep 17 00:00:00 2001
From: Martijn Govers <Martijn.Govers@Alliander.com>
Date: Thu, 8 Jan 2026 15:39:00 +0100
Subject: [PATCH 4/6] no oxford comma

Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com>
---
 SECURITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 518d6be..62ffc51 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -41,7 +41,7 @@ You can report the vulnerabilities in the issues as a bug.
 
 [`power-grid-model-ds`](https://github.com/PowerGridModel/power-grid-model-ds) is a data science library that processes
 datasets and configuration that may be user-provided.
-Treat all external inputs as untrusted, validate formats/schemas where possible, and avoid unsafe deserialization
+Treat all external inputs as untrusted, validate formats/schemas where possible and avoid unsafe deserialization
 (e.g. `pickle`) for untrusted files.
 If the visualizer is installed and used, note that it runs a local web server and opens a TCP port.
 

From 913e6bd7cc7064435a99a2005fdf9f6a2f483b87 Mon Sep 17 00:00:00 2001
From: Martijn Govers <Martijn.Govers@Alliander.com>
Date: Thu, 8 Jan 2026 15:40:23 +0100
Subject: [PATCH 5/6] typo

Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com>
---
 SECURITY.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 62ffc51..99727e1 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -47,8 +47,8 @@ If the visualizer is installed and used, note that it runs a local web server an
 
 ### power-grid-model-io
 
-[`power-grid-model-io`](https://github.com/PowerGridModel/power-grid-model-io) is a data conversion library and user
-configuration in the form of custom mappings and filters via a YAML file.
+[`power-grid-model-io`](https://github.com/PowerGridModel/power-grid-model-io) is a data conversion library and
+constains user configuration in the form of custom mappings and filters via a YAML file.
 To prevent code injection during loading, `yaml.safe_load` is used.
 In addition, only execution of specific white-listed functions and modules is allowed.
 Please refer to the relevant

From 1def1c8edd4df8d9f418abf5d85f4a1807810177 Mon Sep 17 00:00:00 2001
From: Martijn Govers <Martijn.Govers@Alliander.com>
Date: Thu, 8 Jan 2026 15:41:21 +0100
Subject: [PATCH 6/6] improve phrasing

Signed-off-by: Martijn Govers <Martijn.Govers@Alliander.com>
---
 SECURITY.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SECURITY.md b/SECURITY.md
index 99727e1..6447eef 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -50,7 +50,7 @@ If the visualizer is installed and used, note that it runs a local web server an
 [`power-grid-model-io`](https://github.com/PowerGridModel/power-grid-model-io) is a data conversion library and
 constains user configuration in the form of custom mappings and filters via a YAML file.
 To prevent code injection during loading, `yaml.safe_load` is used.
-In addition, only execution of specific white-listed functions and modules is allowed.
+In addition, execution is restricted to specific white-listed functions and modules.
 Please refer to the relevant
 [security considerations](https://power-grid-model-io.readthedocs.io/en/stable/converters/tabular_converter.html#security-considerations)
 for more information.