diff --git a/doc/security/index.rst b/doc/security/index.rst
index c5e1d8d1add..328eb549945 100644
--- a/doc/security/index.rst
+++ b/doc/security/index.rst
@@ -14,3 +14,4 @@ for ensuring security is addressed within the Zephyr project.
    secure-coding.rst
    sensor-threat.rst
    hardening-tool.rst
+   vulnerabilities.rst
diff --git a/doc/security/vulnerabilities.rst b/doc/security/vulnerabilities.rst
new file mode 100644
index 00000000000..9986f2dfe05
--- /dev/null
+++ b/doc/security/vulnerabilities.rst
@@ -0,0 +1,25 @@
+.. _vulnerabilities:
+
+Vulnerabilities
+###############
+
+This page collects all of the vulnerabilities that are discovered and
+fixed in each release.  It will also often have more details than is
+available in the releases.  Some vulnerabilities are deemed to be
+sensitive, and will not be publically discussed until there is
+sufficient time to fix them.  Because the release notes are locked to
+a version, the information here can be updated after the embargo is
+lifted.
+
+Release 1.14.0 and 2.0.0
+------------------------
+
+The following security vulnerability (CVE) was addressed in this
+release:
+
+* Fixes CVE-2019-9506: The Bluetooth BR/EDR specification up to and
+  including version 5.1 permits sufficiently low encryption key length
+  and does not prevent an attacker from influencing the key length
+  negotiation. This allows practical brute-force attacks (aka "KNOB")
+  that can decrypt traffic and inject arbitrary ciphertext without the
+  victim noticing.