diff --git a/py-confire/TODO b/py-confire/TODO
new file mode 100644
index 0000000000..e989761368
--- /dev/null
+++ b/py-confire/TODO
@@ -0,0 +1,2 @@
+This package has known vulnerabilities, please investigate and fix if possible:
+ CVE-2017-16763