diff --git a/spec/index.html b/spec/index.html
index 9d0eb02..aa53779 100644
--- a/spec/index.html
+++ b/spec/index.html
@@ -2182,6 +2182,17 @@ <h2>Security Considerations</h2>
      in [[[UNICODE-SECURITY]]] [[UNICODE-SECURITY]] and
      [[[RFC3987]]] [[RFC3987]] Section 8.</p>
 
+  <p>
+    <a href="#graph-isomorphism">Comparing</a> graphs,
+    <a href="https://www.w3.org/TR/sparql12-query/">querying</a> them,
+    or <a href="https://www.w3.org/TR/rdf12-semantics/#simple_entailment_properties">reasoning</a> with them,
+    often relies on computing <em>(sub)graph isomorphism</em>,
+    which is known to be computationally complex in the worst case.
+    This means that malicious graphs can be constructed to cause RDF implementations to stall or run out of memory.
+    Implementations processing graphs from untrusted sources are expected to provide mitigations;
+    examples are given in the section on <a data-cite="RDF-CANON#dataset-poisoning">Dataset Poisoning</a> in [[RDF-CANON]].
+  </p>
+
   <p class="note">These considerations are a more generic form
     of Security Considerations for [[RDF12-TURTLE]], [[RDF12-TRIG]], [[RDF12-N-TRIPLES]],
     and [[RDF12-N-QUADS]].</p>