Provide a discussion of the security considerations.
All media type registrations must describe their security considerations; simply saying there are none
or leaving the section blank is unacceptable.
In discussing the security considerations for a media type, it is necessary to cover at least these points:
(1) State whether or not the media type contains active or executable
content. If the media type does contain executable content, explain
what measures have been taken to insure that it can be executed
safely, e.g. a sandbox, safe operation set, signed content, etc.
(2) State whether or not the information contained in the media type
needs privacy or integrity services.
(3) If the answer to (2) is yes, elaborate on any privacy or integrity
services the media type itself provides. If it doesn't provide
such services, explain how they should be provided externally,
e.g., through the use of SSL/TLS.
(4) If the media type uses an existing format, e.g. XML or JSON, the
security considerations for that format must be referenced and any
issues specific to the usage of that format, e.g., XML
extensibility, must be described.
(4a) If the media type employs compression, the security
considerations associated with that usage must be covered.
(4b) If the media type employs a container format, e.g., ZIP, any
issues associated with that usage need to be described.
(5) If the media type incorporates links that must be referenced in
order to properly interpret the type, this should be noted.
Finally, although it is discouraged, it is acceptable to simply say that
the security considerations of the media type have not been assessed.
See RFC 6838, section 4.6.