This document gives procedural guidance on the development of codecs within the IETF. In its Security Considerations section, it says: The procedural guidelines for codec development do not have security considerations. However, the resulting codec needs to take appropriate security considerations into account, for example as outlined in [DOS] and [SECGUIDE]. I think that additionally, authors of codec specifications should consider what implementation vulnerabilities are likely to arise, and document them in the specification. As I recall, audio, video, and image codecs have a long history of implementation vulnerabilities shared among multiple implementations. These shared vulnerabilities could be due to the encodings being mostly binary in nature, sometimes with explicit length counts for arrays, inviting buffer overflows when implemented in languages such as C. (I have not extensively studied these vulnerabilities, but I'm sure other people have done so in much more detail.) Editorial: It's not clear what kinds of codecs are being considered. Text in the document implies that the focus is audio codecs rather than video or other codecs, but perhaps the document should clarify what kinds of codecs are in scope. I misinterpreted "RF license" as "radio-frequency license" initially, but a few clauses earlier, I found that "RF" is used to represent "royalty-free". As there are no other occurrences of "RF" with this meaning, consider writing it in expanded form in both places (possibly leaving the "RF" parenthetical for the first occurrence).