w3c · gkellogg · Feb 5, 2015 · Feb 4, 2015
diff --git a/metadata/index.html b/metadata/index.html
@@ -1696,6 +1696,18 @@ <h3>Converting Tables</h3>
         </ul>
       </section>
     </section>
+    <section>
+      <h2>Security Considerations</h2>
+      <p>
+        Applications that process tabular data may use that data to drive other actions, which may have security implications. These behaviours are outside the scope of this specification.
+      </p>
+      <p>
+        Third party metadata provided about a tabular data file (such as a CSV file) may rename or ignore headers, or exclude rows or columns, which may lead to data being misinterpreted by applications that process it.
+      </p>
+      <p>
+        <a title="template specification">Template specifications</a> are a possible security risk as they enable the creators of metadata to reference arbitrary code that may be executed to convert tabular data into other formats. Implementations should run this arbitrary code in a sandboxed environment to reduce the security risk.
+      </p>
+    </section>
     <section class="appendix">
       <h2>Acknowledgements</h2>
       <p>
@@ -1711,12 +1723,6 @@ <h3>Registration of <code>application/csvm+json</code></h3>
         </p>
       </section>
     </section>
-    <section class="appendix">
-      <h2>Security Considerations</h2>
-      <p class="issue" data-number="8">
-        TODO: General CSV security considerations.
-      </p>
-    </section>
     <section class="appendix">
       <h2>JSON-LD Context</h2>
       <p>