diff --git a/security-classification.rst b/security-classification.rst
index fd0d381..4b6a01a 100644
--- a/security-classification.rst
+++ b/security-classification.rst
@@ -99,8 +99,9 @@ We do not classify as a security issue any issue that:
 -  requires invocation of specific code, which may be valid but is obviously
    malicious
 
--  requires invocation of functions with specific arguments, which may be valid
-   but are obviously malicious
+-  requires passing malicious arguments to functions clearly not intended to
+   receive unsanitized values, e.g. mysqli_query(). escapeshellarg() on the
+   other hand should clearly be hardened against unsafe inputs.
 
 -  requires specific actions to be performed on the server, which are not
    commonly performed, or are not commonly permissible for the user (uid)