diff --git a/Changelog.md b/Changelog.md
index e8a7e16b..45f14333 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -1,5 +1,16 @@
 # X.X.X (Next)
 
+-
+
+# 1.3.0 (Next)
+
+Security
+
+- Add `validate_entry_sizes` option so that callers can trust an entry's reported size when using `extract` [#403](https://github.com/rubyzip/rubyzip/pull/403)
+   - This option defaults to `false` for backward compatibility in this release, but you are strongly encouraged to set it to `true`. It will default to `true` in rubyzip 2.0.
+
+New Feature
+
 - Add `add_stored` method to simplify adding entries without compression [#366](https://github.com/rubyzip/rubyzip/pull/366)
 
 Tooling / Documentation
diff --git a/README.md b/README.md
index 2ff41ed9..51b275b9 100644
--- a/README.md
+++ b/README.md
@@ -265,7 +265,13 @@ Zip.warn_invalid_date = false
 
 ### Size Validation
 
-By default, `rubyzip`'s `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:
+**This setting defaults to `false` in rubyzip 1.3 for backward compatibility, but it will default to `true` in rubyzip 2.0.**
+
+If you set
+```
+Zip.validate_entry_sizes = true
+```
+then `rubyzip`'s `extract` method checks that an entry's reported uncompressed size is not (significantly) smaller than its actual size. This is to help you protect your application against [zip bombs](https://en.wikipedia.org/wiki/Zip_bomb). Before `extract`ing an entry, you should check that its size is in the range you expect. For example, if your application supports processing up to 100 files at once, each up to 10MiB, your zip extraction code might look like:
 
 ```ruby
 MAX_FILE_SIZE = 10 * 1024**2 # 10MiB
diff --git a/lib/zip.rb b/lib/zip.rb
index c3a6ed5e..eeac96a0 100644
--- a/lib/zip.rb
+++ b/lib/zip.rb
@@ -55,7 +55,7 @@ def reset!
     @write_zip64_support = false
     @warn_invalid_date = true
     @case_insensitive_match = false
-    @validate_entry_sizes = true
+    @validate_entry_sizes = false
   end
 
   def setup