diff --git a/README.md b/README.md
index e0c31252..602d6042 100644
--- a/README.md
+++ b/README.md
@@ -340,10 +340,10 @@ Not seeing the behavior you want? `exec()` runs everything through `sh`
 by default (or `cmd.exe` on Windows), which differs from `bash`. If you
 need bash-specific behavior, try out the `{shell: 'path/to/bash'}` option.
 
-**Note:** as `shell.exec()` executes an arbitrary string in the system
-shell, it is **critical** to properly sanitize user input to avoid command
-execution. For more context, consult the [Security
-guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines).
+**Security note:** as `shell.exec()` executes an arbitrary string in the
+system shell, it is **critical** to properly sanitize user input to avoid
+**command injection**. For more context, consult the [Security
+Guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines).
 
 
 ### find(path [, path ...])
diff --git a/src/exec.js b/src/exec.js
index e6077a33..e765cb1a 100644
--- a/src/exec.js
+++ b/src/exec.js
@@ -178,10 +178,10 @@ function execAsync(cmd, opts, pipe, callback) {
 //@ by default (or `cmd.exe` on Windows), which differs from `bash`. If you
 //@ need bash-specific behavior, try out the `{shell: 'path/to/bash'}` option.
 //@
-//@ **Note:** as `shell.exec()` executes an arbitrary string in the system
-//@ shell, it is **critical** to properly sanitize user input to avoid command
-//@ execution. For more context, consult the [Security
-//@ guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines).
+//@ **Security note:** as `shell.exec()` executes an arbitrary string in the
+//@ system shell, it is **critical** to properly sanitize user input to avoid
+//@ **command injection**. For more context, consult the [Security
+//@ Guidelines](https://github.com/shelljs/shelljs/wiki/Security-guidelines).
 function _exec(command, options, callback) {
   options = options || {};
   if (!command) common.error('must specify command');