diff --git a/SECURITY.md b/SECURITY.md
index b8f54307d5ed5b..9d008bfbe05e99 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -106,6 +106,9 @@ a security vulnerability. Examples of unwanted actions are polluting globals,
 causing an unrecoverable crash, or any other unexpected side effects that can
 lead to a loss of confidentiality, integrity, or availability.
 
+For example, if trusted input (like secure application code) is correct,
+then untrusted input must not lead to arbitrary JavaScript code execution.
+
 **Node.js trusts everything else**. Examples include:
 
 * The developers and infrastructure that runs it.