diff --git a/site/content/contribute/security.md b/site/content/contribute/security.md
index e30e828..22ddbbd 100644
--- a/site/content/contribute/security.md
+++ b/site/content/contribute/security.md
@@ -15,4 +15,8 @@ Unfortunately for everybody, JavaScript is the language of the web. Kerolox does
 
 [^tanstack]: [Tanstack supply chain attack](https://tanstack.com/blog/npm-supply-chain-compromise-postmortem)
 
-- TODO: describe workarounds
+- TODO: describe npm workarounds
+- TODO: CVE reporting policy
+- TODO: dependency updating strategy
+  - npm-based stuff is under extra scrutiny
+- TODO automatic secret sanitation
diff --git a/site/content/contribute/site.md b/site/content/contribute/site.md
index 42c35ef..fca6dd6 100644
--- a/site/content/contribute/site.md
+++ b/site/content/contribute/site.md
@@ -45,11 +45,6 @@ This runs Zola as an HTTP server of the site's content at `http://localhost:1111
 - TODO: [PWA support](https://abridge.pages.dev/overview-abridge/#pwa) for mobile sandbox
 - TODO: Atkinson Hyperlegible Next
 - TODO: document how to report bugs and get help
-- TODO: document security policy
-  - CVE reporting policy
-  - dependency updating strategy
-    - npm-based stuff is under extra scrutiny
-  - automatic secret sanitation
 - TODO: cookbook for common Kerolox idioms
 - TODO: tag example pages by demonstrated concept
 - TODO: favicon