add deserialization notices
diff --git a/content/en/docs/notices/_index.md b/content/en/docs/notices/_index.md
new file mode 100755
index 0000000..7aa7b7f
--- /dev/null
+++ b/content/en/docs/notices/_index.md
@@ -0,0 +1,9 @@
+
+---
+type: docs
+title: "notices"
+linkTitle: "notices"
+description: "Dubbo notices"
+weight: 90
+---
+
diff --git a/content/en/docs/notices/security.md b/content/en/docs/notices/security.md
new file mode 100755
index 0000000..8268dbe
--- /dev/null
+++ b/content/en/docs/notices/security.md
@@ -0,0 +1,27 @@
+
+---
+type: docs
+title: "vulnerability"
+linkTitle: "vulnerability"
+description: "Deserialization Vulnerability"
+weight: 90
+---
+
+
+## 序列化
+Dubbo supports the extension of serialization protocol. Theoretically, users can enable serialization protocol with arbitrary order based on the extension mechanism, which brings great flexibility, but at the same time, they should be aware of the potential security risks.
+Data deserialization is one of the most vulnerable links to be exploited by attackers. Attackers use it to steal or destroy server-side data, such as rce attack. Before switching the serialization protocol or implementation, the user can,
+We should fully investigate the security guarantee of target serialization protocol and its framework implementation, and set corresponding security measures in advance (such as setting Black / white list). The Dubbo framework itself cannot guarantee the security of the target serialization mechanism.
+
+Dubbo 2.7 The official version provides the following serialization protocols:
+* Hessian2
+* Fastjson
+* Kryo
+* FST
+* JDK
+* Protostuff/Protobuf
+* Avro
+* Gson
+
+For the above serialization extension, after finding or receiving the relevant vulnerability report, Dubbo will follow up and upgrade to the latest security version, but the final vulnerability repair scheme depends on the serialization framework implementation.
+> For users using [dubbo hessian2](https://github.com/apache/dubbo-hessian-lite/releases), Dubbo will guarantee the security of Hessian 2 serialization mechanism and repair the reported security vulnerabilities as much as possible
diff --git a/content/zh/docs/notices/_index.md b/content/zh/docs/notices/_index.md
new file mode 100755
index 0000000..d82b2b8
--- /dev/null
+++ b/content/zh/docs/notices/_index.md
@@ -0,0 +1,9 @@
+
+---
+type: docs
+title: "公告栏"
+linkTitle: "公告栏"
+description: "Dubbo 公告"
+weight: 90
+---
+
diff --git a/content/zh/docs/notices/security.md b/content/zh/docs/notices/security.md
new file mode 100755
index 0000000..13bdba9
--- /dev/null
+++ b/content/zh/docs/notices/security.md
@@ -0,0 +1,28 @@
+
+---
+type: docs
+title: "安全漏洞"
+linkTitle: "安全漏洞"
+description: "序列化相关的安全问题说明"
+weight: 90
+---
+
+
+## 序列化
+Dubbo 支持序列化协议的扩展,理论上用户可以基于该扩展机制启用任意序的列化协议,这带来了极大的灵活的,但同时也要意识到其中潜藏的安全性风险。
+数据反序列化是最容易被被攻击者利用的一个环节,攻击者利用它执行 RCE 攻击等窃取或破坏服务端数据,用户在切换序列化协议或实现前,
+应充分调研目标序列化协议及其框架实现的安全性保障,并提前设置相应的安全措施(如设置黑/白名单)。Dubbo 框架自身并不能保证目标序列化机制的安全性。
+
+Dubbo 2.7 官方版本提供的序列化协议有如下几种:
+* Hessian2
+* Fastjson
+* Kryo
+* FST
+* JDK
+* Protostuff/Protobuf
+* Avro
+* Gson
+
+针对以上序列化扩展,在发现或收到相关的漏洞报告之后,Dubbo 官方会跟进并升级依赖到最新的安全版本,但最终的漏洞修复方案取决于序列化的框架实现。
+
+> 针对使用 [dubbo hessian2](https://github.com/apache/dubbo-hessian-lite/releases) 版本的用户,Dubbo 官方会保证hessian2序列化机制的安全性并尽可能的修复上报的安全漏洞
