diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index 5dd9862c66..f3e0f2498c 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -8,6 +8,7 @@ What reports we do not accept:
 
 - Executing PHP code by an extension or during the installation or upgrade process.
 - Exposing contacts though a target list, campaign or mass email, considering the user has access to them.
+- SSRF in IMAP/SMTP with TOCTOU.
 
 ## Supported versions