diff --git a/Build-Security.md b/Build-Security.md
index edcfbe8..8423aeb 100644
--- a/Build-Security.md
+++ b/Build-Security.md
@@ -1,2 +1,4 @@
 1. On execution of ``./gradlew build``, the gradle wrapper downloads the actually required gradle version. This download is protected by SHA-256 verification [integrated by us into Gradle Wrapper](https://github.com/gradle/gradle/pull/448) (see [gradle/wrapper/gradle-wrapper.properties](https://github.com/open-keychain/open-keychain/blob/master/gradle/wrapper/gradle-wrapper.properties)).
-2. All dependencies are either included as git submodules or downloaded from JCenter. JCenter dependencies are verified using SHA-256 by [Gradle Witness](https://github.com/WhisperSystems/gradle-witness) (see [OpenKeychain/build.gradle](https://github.com/open-keychain/open-keychain/blob/master/OpenKeychain/build.gradle)).
\ No newline at end of file
+2. All dependencies are either included as git submodules or downloaded from JCenter. JCenter dependencies are verified using SHA-256 by [Gradle Witness](https://github.com/WhisperSystems/gradle-witness) (see [OpenKeychain/build.gradle](https://github.com/open-keychain/open-keychain/blob/master/OpenKeychain/build.gradle)).
+
+TODO?: buildscript dependency verification?
\ No newline at end of file