diff --git a/.security/known_cves.yml b/.security/known_cves.yml
new file mode 100644
index 000000000..faf5456ff
--- /dev/null
+++ b/.security/known_cves.yml
@@ -0,0 +1,8 @@
+# yaml-language-server: $schema=./known_cves_schema.json
+
+- CVE: CVE-2025-52999
+  artifact: org.example:vulnerability-lib:3.18.0
+  justification: >
+    Some text
+    with very nice and clear explanation
+  expiration_date: 2030-05-18
\ No newline at end of file
diff --git a/.security/known_cves_schema.json b/.security/known_cves_schema.json
new file mode 100644
index 000000000..a5c47b24f
--- /dev/null
+++ b/.security/known_cves_schema.json
@@ -0,0 +1,33 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "title": "Know vulnerabilities exceptions report",
+  "type": "array",
+  "items": {
+    "type": "object",
+    "properties": {
+      "CVE": {
+        "type": "string",
+        "description": "The Common Vulnerabilities and Exposures Id. https://www.cve.org/",
+        "pattern": "^CVE-\\d{4}-\\d{4,}$"
+      },
+      "artifact": {
+        "type": "string",
+        "description": "The Maven style artifact id. (group:artifact:version)"
+      },
+      "justification": {
+        "type": "string",
+        "description": "The reason why this vulnerability does not impact the tools."
+      },
+      "expiration_date": {
+        "type": "string",
+        "format": "date",
+        "description": "The date (YYYY-MM-DD) when this waiver expires and must be reviewed."
+      }
+    },
+    "required": [
+      "CVE",
+      "artifact",
+      "justification"
+    ]
+  }
+}
\ No newline at end of file