diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index 88c45fbb..77abbe3b 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -72,6 +72,18 @@ If someone is able to tamper with the OAuth2 responses then the entire OAuth2 fl
 ~Nonetheless, in future PocketBase releases there will be [extra `localhost` domain like checks](https://github.com/orgs/pocketbase/projects/2/views/1?pane=issue&itemId=159545722) when assigning the OAuth2 avatar URL to a `file` field that will further minimize the risk of internal network probing requests in case of a vulnerable OAuth2 provider.~ _Done._
 </details>
 
+<details>
+<summary><strong>Users enumeration</strong></summary>
+
+This is a common and usually valid report but there is no easy solution without confusing and degrading the users experience.
+
+Some endpoints, like the user create/register, can be used for username or emails enumeration based on various response heuristics - timing, specific error messages, etc.
+
+In many places where applicable we've tried to minimize the impact by using constant time checks, returning non-descriptive error messages, applying an internal rate limit for some operations, etc. but it is not bulletproof and if somebody wants to find out if a user is registered they will be able to do it one way or another.
+
+If you think that there is a place where we can improve the handling without hurting too much the user experience, feel free to open a regular public issue and it will be considered.
+</details>
+
 <details>
 <summary><strong><code>disintegration/imaging</code> CVE-2023-36308</strong></summary>