diff --git a/docs/Analyzer Configuration.md b/docs/Analyzer Configuration.md
index e137ec3179..b4c6fd6f95 100644
--- a/docs/Analyzer Configuration.md	
+++ b/docs/Analyzer Configuration.md	
@@ -113,7 +113,7 @@ Examples:
 ### Excluded symbol names
 Option Name: `excluded_symbol_names`
 
-Configurable Rules: [CA1303](https://docs.microsoft.com/visualstudio/code-quality/ca1303-do-not-pass-literals-as-localized-parameters), [CA1062](https://docs.microsoft.com/visualstudio/code-quality/ca1062-validate-arguments-of-public-methods), CA1508, [CA2000](https://docs.microsoft.com/visualstudio/code-quality/ca2000-dispose-objects-before-losing-scope), [CA2100](https://docs.microsoft.com/visualstudio/code-quality/ca2100-review-sql-queries-for-security-vulnerabilities), [CA2301](https://docs.microsoft.com/visualstudio/code-quality/ca2301-do-not-call-binaryformatter-deserialize-without-first-setting-binaryformatter-binder), [CA2302](https://docs.microsoft.com/visualstudio/code-quality/ca2302-ensure-binaryformatter-binder-is-set-before-calling-binaryformatter-deserialize), [CA2311](https://docs.microsoft.com/visualstudio/code-quality/ca2311-do-not-deserialize-without-first-setting-netdatacontractserializer-binder), [CA2312](https://docs.microsoft.com/visualstudio/code-quality/ca2312-ensure-netdatacontractserializer-binder-is-set-before-deserializing), [CA2321](https://docs.microsoft.com/visualstudio/code-quality/ca2321), [CA2322](https://docs.microsoft.com/visualstudio/code-quality/ca2322), CA2327, CA2328, [CA3001](https://docs.microsoft.com/visualstudio/code-quality/ca3001-review-code-for-sql-injection-vulnerabilities), [CA3002](https://docs.microsoft.com/visualstudio/code-quality/ca3002-review-code-for-xss-vulnerabilities), [CA3003](https://docs.microsoft.com/visualstudio/code-quality/ca3003-review-code-for-file-path-injection-vulnerabilities), [CA3004](https://docs.microsoft.com/visualstudio/code-quality/ca3004-review-code-for-information-disclosure-vulnerabilities), [CA3005](https://docs.microsoft.com/visualstudio/code-quality/ca3005-review-code-for-ldap-injection-vulnerabilities), [CA3006](https://docs.microsoft.com/visualstudio/code-quality/ca3006-review-code-for-process-command-injection-vulnerabilities), [CA3007](https://docs.microsoft.com/visualstudio/code-quality/ca3007-review-code-for-open-redirect-vulnerabilities), [CA3008](https://docs.microsoft.com/visualstudio/code-quality/ca3008-review-code-for-xpath-injection-vulnerabilities), [CA3009](https://docs.microsoft.com/visualstudio/code-quality/ca3009-review-code-for-xml-injection-vulnerabilities), [CA3010](https://docs.microsoft.com/visualstudio/code-quality/ca3010-review-code-for-xaml-injection-vulnerabilities), [CA3011](https://docs.microsoft.com/visualstudio/code-quality/ca3011-review-code-for-dll-injection-vulnerabilities), [CA3012](https://docs.microsoft.com/visualstudio/code-quality/ca3012-review-code-for-regex-injection-vulnerabilities), CA5361, CA5376, CA5377, CA5378, CA5380, CA5381, CA5382, CA5383, CA5384, CA5387, CA5388, CA5389, CA5390
+Configurable Rules: [CA1303](https://docs.microsoft.com/visualstudio/code-quality/ca1303-do-not-pass-literals-as-localized-parameters), [CA1062](https://docs.microsoft.com/visualstudio/code-quality/ca1062-validate-arguments-of-public-methods), CA1508, [CA2000](https://docs.microsoft.com/visualstudio/code-quality/ca2000-dispose-objects-before-losing-scope), [CA2100](https://docs.microsoft.com/visualstudio/code-quality/ca2100-review-sql-queries-for-security-vulnerabilities), [CA2301](https://docs.microsoft.com/visualstudio/code-quality/ca2301-do-not-call-binaryformatter-deserialize-without-first-setting-binaryformatter-binder), [CA2302](https://docs.microsoft.com/visualstudio/code-quality/ca2302-ensure-binaryformatter-binder-is-set-before-calling-binaryformatter-deserialize), [CA2311](https://docs.microsoft.com/visualstudio/code-quality/ca2311-do-not-deserialize-without-first-setting-netdatacontractserializer-binder), [CA2312](https://docs.microsoft.com/visualstudio/code-quality/ca2312-ensure-netdatacontractserializer-binder-is-set-before-deserializing), [CA2321](https://docs.microsoft.com/visualstudio/code-quality/ca2321), [CA2322](https://docs.microsoft.com/visualstudio/code-quality/ca2322), CA2327, CA2328, CA2329, CA2330, [CA3001](https://docs.microsoft.com/visualstudio/code-quality/ca3001-review-code-for-sql-injection-vulnerabilities), [CA3002](https://docs.microsoft.com/visualstudio/code-quality/ca3002-review-code-for-xss-vulnerabilities), [CA3003](https://docs.microsoft.com/visualstudio/code-quality/ca3003-review-code-for-file-path-injection-vulnerabilities), [CA3004](https://docs.microsoft.com/visualstudio/code-quality/ca3004-review-code-for-information-disclosure-vulnerabilities), [CA3005](https://docs.microsoft.com/visualstudio/code-quality/ca3005-review-code-for-ldap-injection-vulnerabilities), [CA3006](https://docs.microsoft.com/visualstudio/code-quality/ca3006-review-code-for-process-command-injection-vulnerabilities), [CA3007](https://docs.microsoft.com/visualstudio/code-quality/ca3007-review-code-for-open-redirect-vulnerabilities), [CA3008](https://docs.microsoft.com/visualstudio/code-quality/ca3008-review-code-for-xpath-injection-vulnerabilities), [CA3009](https://docs.microsoft.com/visualstudio/code-quality/ca3009-review-code-for-xml-injection-vulnerabilities), [CA3010](https://docs.microsoft.com/visualstudio/code-quality/ca3010-review-code-for-xaml-injection-vulnerabilities), [CA3011](https://docs.microsoft.com/visualstudio/code-quality/ca3011-review-code-for-dll-injection-vulnerabilities), [CA3012](https://docs.microsoft.com/visualstudio/code-quality/ca3012-review-code-for-regex-injection-vulnerabilities), CA5361, CA5376, CA5377, CA5378, CA5380, CA5381, CA5382, CA5383, CA5384, CA5387, CA5388, CA5389, CA5390
 
 Option Values: Names of symbols (separated by '|') that are excluded for analysis.
 Allowed symbol name formats:
diff --git a/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx b/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx
index 5065bca2c6..b9b4f8230c 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx
+++ b/src/Microsoft.NetCore.Analyzers/Core/MicrosoftNetCoreAnalyzersResources.resx
@@ -1062,4 +1062,16 @@
   <data name="DoNotCreateTasksWithoutPassingATaskSchedulerMessage" xml:space="preserve">
     <value>Do not create tasks without passing a TaskScheduler</value>
   </data>
+  <data name="JsonNetInsecureSerializerMessage" xml:space="preserve">
+    <value>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</value>
+  </data>
+  <data name="JsonNetInsecureSerializerTitle" xml:space="preserve">
+    <value>Do not deserialize with JsonSerializer using an insecure configuration</value>
+  </data>
+  <data name="JsonNetMaybeInsecureSerializerMessage" xml:space="preserve">
+    <value>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</value>
+  </data>
+  <data name="JsonNetMaybeInsecureSerializerTitle" xml:space="preserve">
+    <value>Ensure that JsonSerializer has a secure configuration when deserializing</value>
+  </data>
 </root>
\ No newline at end of file
diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinder.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinder.cs
new file mode 100644
index 0000000000..889f159bd7
--- /dev/null
+++ b/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinder.cs
@@ -0,0 +1,250 @@
+// Copyright (c) Microsoft.  All Rights Reserved.  Licensed under the Apache License, Version 2.0.  See License.txt in the project root for license information.
+
+using System.Collections.Generic;
+using System.Collections.Immutable;
+using System.Diagnostics;
+using System.Diagnostics.CodeAnalysis;
+using System.Linq;
+using Analyzer.Utilities;
+using Analyzer.Utilities.Extensions;
+using Analyzer.Utilities.FlowAnalysis.Analysis.PropertySetAnalysis;
+using Analyzer.Utilities.PooledObjects;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.Diagnostics;
+using Microsoft.CodeAnalysis.FlowAnalysis.DataFlow;
+using Microsoft.CodeAnalysis.FlowAnalysis.DataFlow.PointsToAnalysis;
+using Microsoft.CodeAnalysis.FlowAnalysis.DataFlow.ValueContentAnalysis;
+using Microsoft.CodeAnalysis.Operations;
+using Microsoft.NetCore.Analyzers.Security.Helpers;
+
+namespace Microsoft.NetCore.Analyzers.Security
+{
+    /// <summary>
+    /// For detecting deserialization with <see cref="T:Newtonsoft.Json.JsonSerializer"/> when its TypeNameHandling != None
+    /// and its Binder/SerializationBinder is null.
+    /// </summary>
+    [SuppressMessage("Documentation", "CA1200:Avoid using cref tags with a prefix", Justification = "The comment references a type that is not referenced by this compilation.")]
+    [DiagnosticAnalyzer(LanguageNames.CSharp, LanguageNames.VisualBasic)]
+    internal class DoNotUseInsecureDeserializerJsonNetWithoutBinder : DiagnosticAnalyzer
+    {
+        // TODO paulming: Help links URLs.
+        internal static readonly DiagnosticDescriptor DefinitelyInsecureSerializer =
+            SecurityHelpers.CreateDiagnosticDescriptor(
+                "CA2329",
+                nameof(MicrosoftNetCoreAnalyzersResources.JsonNetInsecureSerializerTitle),
+                nameof(MicrosoftNetCoreAnalyzersResources.JsonNetInsecureSerializerMessage),
+                isEnabledByDefault: false,
+                helpLinkUri: null,
+                customTags: WellKnownDiagnosticTagsExtensions.DataflowAndTelemetry);
+        internal static readonly DiagnosticDescriptor MaybeInsecureSerializer =
+            SecurityHelpers.CreateDiagnosticDescriptor(
+                "CA2330",
+                nameof(MicrosoftNetCoreAnalyzersResources.JsonNetMaybeInsecureSerializerTitle),
+                nameof(MicrosoftNetCoreAnalyzersResources.JsonNetMaybeInsecureSerializerMessage),
+                isEnabledByDefault: false,
+                helpLinkUri: null,
+                customTags: WellKnownDiagnosticTagsExtensions.DataflowAndTelemetry);
+
+        public override ImmutableArray<DiagnosticDescriptor> SupportedDiagnostics =>
+            ImmutableArray.Create(
+                DefinitelyInsecureSerializer,
+                MaybeInsecureSerializer);
+
+        /// <summary>
+        /// PropertySetAbstractValue index for TypeNameHandling property.
+        /// </summary>
+        private const int TypeNameHandlingIndex = 0;
+
+        /// <summary>
+        /// PropertySetAbstractValue index for Binder / SerializationBinder properties (both are aliased to same underlying value).
+        /// </summary>
+        private const int SerializationBinderIndex = 1;
+
+        private static readonly ConstructorMapper ConstructorMapper = new ConstructorMapper(
+            (IMethodSymbol constructorMethod, IReadOnlyList<PointsToAbstractValue> argumentPointsToAbstractValues) =>
+            {
+                if (constructorMethod.Parameters.Length == 0)
+                {
+                    return PropertySetAbstractValue.GetInstance(
+                        PropertySetAbstractValueKind.Unflagged,   // TypeNameHandling defaults to None.
+                        PropertySetAbstractValueKind.Flagged);    // Binder / SerializationBinder defaults to null.
+                }
+                else
+                {
+                    Debug.Fail($"Unhandled JsonSerializer constructor {constructorMethod.ToDisplayString(SymbolDisplayFormat.MinimallyQualifiedFormat)}");
+                    return PropertySetAbstractValue.GetInstance(
+                        PropertySetAbstractValueKind.Unflagged,
+                        PropertySetAbstractValueKind.Unflagged);
+                }
+            });
+
+        private static readonly PropertyMapperCollection PropertyMappers = new PropertyMapperCollection(
+            new PropertyMapper(
+                "TypeNameHandling",
+                (ValueContentAbstractValue valueContentAbstractValue) =>
+                    PropertySetCallbacks.EvaluateLiteralValues(
+                        valueContentAbstractValue,
+                        (object o) => o is int i && i != 0),   // None is 0, and anything other than None is flagged.
+                TypeNameHandlingIndex),
+            new PropertyMapper(
+                "Binder",
+                PropertySetCallbacks.FlagIfNull,
+                SerializationBinderIndex),      // Binder & SerializationBinder have the same underlying value.
+            new PropertyMapper(
+                "SerializationBinder",
+                PropertySetCallbacks.FlagIfNull,
+                SerializationBinderIndex));     // Binder & SerializationBinder have the same underlying value.
+
+        private static readonly HazardousUsageEvaluatorCollection HazardousUsageEvaluators = new HazardousUsageEvaluatorCollection(
+            SecurityHelpers.JsonSerializerDeserializationMethods.Select(
+                (string methodName) => new HazardousUsageEvaluator(
+                    methodName,
+                    PropertySetCallbacks.HazardousIfAllFlaggedAndAtLeastOneKnown))
+                .Concat(
+                    new HazardousUsageEvaluator(
+                        HazardousUsageEvaluatorKind.Initialization,
+                        PropertySetCallbacks.HazardousIfAllFlaggedAndAtLeastOneKnown)));
+
+        public override void Initialize(AnalysisContext context)
+        {
+            context.EnableConcurrentExecution();
+
+            // Security analyzer - analyze and report diagnostics on generated code.
+            context.ConfigureGeneratedCodeAnalysis(GeneratedCodeAnalysisFlags.Analyze | GeneratedCodeAnalysisFlags.ReportDiagnostics);
+
+            context.RegisterCompilationStartAction(
+                (CompilationStartAnalysisContext compilationStartAnalysisContext) =>
+                {
+                    WellKnownTypeProvider wellKnownTypeProvider = WellKnownTypeProvider.GetOrCreate(compilationStartAnalysisContext.Compilation);
+                    if (!wellKnownTypeProvider.TryGetTypeByMetadataName(
+                            WellKnownTypeNames.NewtonsoftJsonJsonSerializer,
+                            out INamedTypeSymbol jsonSerializerSymbol))
+                    {
+                        return;
+                    }
+
+                    PooledHashSet<(IOperation Operation, ISymbol ContainingSymbol)> rootOperationsNeedingAnalysis = PooledHashSet<(IOperation, ISymbol)>.GetInstance();
+
+                    compilationStartAnalysisContext.RegisterOperationBlockStartAction(
+                        (OperationBlockStartAnalysisContext operationBlockStartAnalysisContext) =>
+                        {
+                            ISymbol owningSymbol = operationBlockStartAnalysisContext.OwningSymbol;
+
+                            // TODO: Handle case when exactly one of the below rules is configured to skip analysis.
+                            if (owningSymbol.IsConfiguredToSkipAnalysis(
+                                    operationBlockStartAnalysisContext.Options,
+                                    DefinitelyInsecureSerializer,
+                                    operationBlockStartAnalysisContext.Compilation,
+                                    operationBlockStartAnalysisContext.CancellationToken)
+                                && owningSymbol.IsConfiguredToSkipAnalysis(
+                                    operationBlockStartAnalysisContext.Options,
+                                    MaybeInsecureSerializer,
+                                    operationBlockStartAnalysisContext.Compilation,
+                                    operationBlockStartAnalysisContext.CancellationToken))
+                            {
+                                return;
+                            }
+
+                            operationBlockStartAnalysisContext.RegisterOperationAction(
+                                (OperationAnalysisContext operationAnalysisContext) =>
+                                {
+                                    IInvocationOperation invocationOperation =
+                                        (IInvocationOperation)operationAnalysisContext.Operation;
+                                    if (jsonSerializerSymbol.Equals(invocationOperation.TargetMethod.ContainingType)
+                                        && SecurityHelpers.JsonSerializerDeserializationMethods.Contains(
+                                               invocationOperation.TargetMethod.Name))
+                                    {
+                                        lock (rootOperationsNeedingAnalysis)
+                                        {
+                                            rootOperationsNeedingAnalysis.Add(
+                                                (invocationOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
+                                        }
+                                    }
+                                },
+                                OperationKind.Invocation);
+
+                            operationBlockStartAnalysisContext.RegisterOperationAction(
+                                (OperationAnalysisContext operationAnalysisContext) =>
+                                {
+                                    IObjectCreationOperation objectCreationOperation =
+                                        (IObjectCreationOperation)operationAnalysisContext.Operation;
+                                    if (jsonSerializerSymbol.Equals(objectCreationOperation.Type))
+                                    {
+                                        lock (rootOperationsNeedingAnalysis)
+                                        {
+                                            rootOperationsNeedingAnalysis.Add(
+                                                (objectCreationOperation.GetRoot(), operationAnalysisContext.ContainingSymbol));
+                                        }
+                                    }
+                                },
+                                OperationKind.ObjectCreation);
+                        });
+
+                    compilationStartAnalysisContext.RegisterCompilationEndAction(
+                        (CompilationAnalysisContext compilationAnalysisContext) =>
+                        {
+                            PooledDictionary<(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> allResults = null;
+                            try
+                            {
+                                lock (rootOperationsNeedingAnalysis)
+                                {
+                                    if (!rootOperationsNeedingAnalysis.Any())
+                                    {
+                                        return;
+                                    }
+
+                                    allResults = PropertySetAnalysis.BatchGetOrComputeHazardousUsages(
+                                        compilationAnalysisContext.Compilation,
+                                        rootOperationsNeedingAnalysis,
+                                        compilationAnalysisContext.Options,
+                                        WellKnownTypeNames.NewtonsoftJsonJsonSerializer,
+                                        ConstructorMapper,
+                                        PropertyMappers,
+                                        HazardousUsageEvaluators,
+                                        InterproceduralAnalysisConfiguration.Create(
+                                            compilationAnalysisContext.Options,
+                                            SupportedDiagnostics,
+                                            defaultInterproceduralAnalysisKind: InterproceduralAnalysisKind.ContextSensitive,
+                                            cancellationToken: compilationAnalysisContext.CancellationToken));
+                                }
+
+                                if (allResults == null)
+                                {
+                                    return;
+                                }
+
+                                foreach (KeyValuePair<(Location Location, IMethodSymbol Method), HazardousUsageEvaluationResult> kvp
+                                    in allResults)
+                                {
+                                    DiagnosticDescriptor descriptor;
+                                    switch (kvp.Value)
+                                    {
+                                        case HazardousUsageEvaluationResult.Flagged:
+                                            descriptor = DefinitelyInsecureSerializer;
+                                            break;
+
+                                        case HazardousUsageEvaluationResult.MaybeFlagged:
+                                            descriptor = MaybeInsecureSerializer;
+                                            break;
+
+                                        default:
+                                            Debug.Fail($"Unhandled result value {kvp.Value}");
+                                            continue;
+                                    }
+
+                                    compilationAnalysisContext.ReportDiagnostic(
+                                        Diagnostic.Create(
+                                            descriptor,
+                                            kvp.Key.Location));
+                                }
+                            }
+                            finally
+                            {
+                                rootOperationsNeedingAnalysis.Free();
+                                allResults?.Free();
+                            }
+                        });
+                });
+        }
+    }
+}
diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotUseInsecureSettingsForJsonNet.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotUseInsecureSettingsForJsonNet.cs
index f97d2b293d..992b9dd2d1 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotUseInsecureSettingsForJsonNet.cs
+++ b/src/Microsoft.NetCore.Analyzers/Core/Security/DoNotUseInsecureSettingsForJsonNet.cs
@@ -83,7 +83,7 @@ public sealed class DoNotUseInsecureSettingsForJsonNet : DiagnosticAnalyzer
                 (ValueContentAbstractValue valueContentAbstractValue) =>
                     PropertySetCallbacks.EvaluateLiteralValues(
                         valueContentAbstractValue,
-                        (object o) => o is int i && i != 0),
+                        (object o) => o is int i && i != 0),    // None is 0, and anything other than None is flagged.
                 TypeNameHandlingIndex),
             new PropertyMapper(
                 "Binder",
diff --git a/src/Microsoft.NetCore.Analyzers/Core/Security/Helpers/SecurityHelpers.cs b/src/Microsoft.NetCore.Analyzers/Core/Security/Helpers/SecurityHelpers.cs
index 4ac3731c55..8a4d91fda1 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/Security/Helpers/SecurityHelpers.cs
+++ b/src/Microsoft.NetCore.Analyzers/Core/Security/Helpers/SecurityHelpers.cs
@@ -139,6 +139,16 @@ public static DiagnosticDescriptor CreateDiagnosticDescriptor(
                 "DeserializeAnonymousType",
                 "PopulateObject");
 
+        /// <summary>
+        /// Deserialization methods for <see cref="T:Newtonsoft.Json.JsonSerializer"/>.
+        /// </summary>
+        [SuppressMessage("Documentation", "CA1200:Avoid using cref tags with a prefix", Justification = "The comment references a type that is not referenced by this compilation.")]
+        public static readonly ImmutableHashSet<string> JsonSerializerDeserializationMethods =
+            ImmutableHashSet.Create(
+                StringComparer.Ordinal,
+                "Deserialize",
+                "Populate");
+
         /// <summary>
         /// Gets a <see cref="LocalizableResourceString"/> from <see cref="MicrosoftNetCoreAnalyzersResources"/>.
         /// </summary>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf
index 6e8052fa64..b976e7f294 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.cs.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="cs" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">Dotazy SQL, které přímo používají uživatelský vstup, můžou být ohrožené útoky injektáží SQL. Zkontrolujte možná ohrožení zabezpečení tohoto dotazu SQL a zvažte možnost použít parametrizovaný dotaz SQL.</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf
index 3bad284f58..029b5a1efb 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.de.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="de" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">SQL-Abfragen, die eine Benutzereingabe direkt verwenden, können für Angriffe durch Einschleusung von SQL-Befehlen anfällig sein. Prüfen Sie diese SQL-Abfrage auf potenzielle Sicherheitsrisiken, und ziehen Sie die Verwendung einer parametrisierten SQL-Abfrage in Betracht.</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf
index 40a3f2cad0..9da5118691 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.es.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="es" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">Las consultas SQL que usan los datos del usuario directamente pueden ser vulnerables a ataques por inyección de código SQL. Revise la consulta SQL en busca de posibles vulnerabilidades y considere la posibilidad de usar una consulta SQL parametrizada.</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf
index d891418cca..ae3424f74a 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.fr.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="fr" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">Les requêtes SQL qui utilisent directement les entrées utilisateur peuvent être vulnérables aux attaques par injection de code SQL. Recherchez dans cette requête SQL d'éventuelles vulnérabilités, puis utilisez une requête SQL paramétrable.</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf
index 624cf461b5..3f6f28d619 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.it.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="it" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">Le query SQL che usano direttamente l'input utente possono essere vulnerabili ad attacchi SQL injection. Esaminare la query SQL per individuare potenziali vulnerabilità e provare a usare una query SQL con parametri.</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf
index 8cb6cb8e30..b60b7b8ff0 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ja.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="ja" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">ユーザー入力を直接使用する SQL クエリは、SQL インジェクション攻撃に対して脆弱である可能性があります。この SQL クエリをレビューして潜在的な脆弱性を確認し、パラメーター化された SQL クエリの使用を検討してください。</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf
index 091d95e833..f192bd5866 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ko.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="ko" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">사용자 입력을 직접 사용하는 SQL 쿼리는 SQL 삽입 공격에 취약할 수 있습니다. 이 SQL 쿼리에 잠재적인 취약성이 있는지 검토하고 매개 변수화된 SQL 쿼리를 사용하는 것이 좋습니다.</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf
index b6d8084934..63fcda271f 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pl.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="pl" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">Zapytania SQL korzystające bezpośrednio z danych wejściowych użytkownika mogą być podatne na ataki polegające na wstrzyknięciu kodu SQL. Sprawdź to zapytanie SQL pod kątem potencjalnych luk i rozważ użycie sparametryzowanego zapytania SQL.</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf
index dc5c4f45b0..84e54834d0 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.pt-BR.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="pt-BR" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">As consultas SQL que usam a entrada do usuário diretamente podem ser vulneráveis a ataques de injeção de SQL. Examine esta consulta SQL quanto a possíveis vulnerabilidades e considere o uso de uma consulta SQL parametrizada.</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf
index 1eb5b1aabf..babb7ac0e5 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.ru.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="ru" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">SQL-запросы, напрямую использующие введенные пользователем сведения, могут быть подвержены атакам путем внедрения кода SQL. Проверьте этот SQL-запрос на наличие уязвимостей и рассмотрите возможность использования параметризованного SQL-запроса.</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf
index df67fe658e..3a0ea8861d 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.tr.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="tr" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">Doğrudan kullanıcı girişi kullanan SQL sorguları, SQL ekleme saldırılarına karşı savunmasız olabilir. Bu SQL sorgusunu olası güvenlik açıkları için inceleyin ve parametre tabanlı bir SQL sorgusu kullanmayı deneyin.</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf
index 3ae55fc1f7..633459c115 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hans.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="zh-Hans" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">直接使用用户输入的 SQL 查询可能容易受到 SQL 注入攻击。查看此 SQL 查询以查找潜在漏洞，请考虑使用参数化 SQL 查询。</target>
diff --git a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf
index 77ebcb7413..cfcfc2db65 100644
--- a/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf
+++ b/src/Microsoft.NetCore.Analyzers/Core/xlf/MicrosoftNetCoreAnalyzersResources.zh-Hant.xlf
@@ -2,6 +2,26 @@
 <xliff xmlns="urn:oasis:names:tc:xliff:document:1.2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="1.2" xsi:schemaLocation="urn:oasis:names:tc:xliff:document:1.2 xliff-core-1.2-transitional.xsd">
   <file datatype="xml" source-language="en" target-language="zh-Hant" original="../MicrosoftNetCoreAnalyzersResources.resx">
     <body>
+      <trans-unit id="JsonNetInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetInsecureSerializerTitle">
+        <source>Do not deserialize with JsonSerializer using an insecure configuration</source>
+        <target state="new">Do not deserialize with JsonSerializer using an insecure configuration</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerMessage">
+        <source>When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</source>
+        <target state="new">When deserializing untrusted input, allowing arbitrary types to be deserialized is insecure. When using deserializing JsonSerializer, use TypeNameHandling.None, or for values other than None, restrict deserialized types with a SerializationBinder.</target>
+        <note />
+      </trans-unit>
+      <trans-unit id="JsonNetMaybeInsecureSerializerTitle">
+        <source>Ensure that JsonSerializer has a secure configuration when deserializing</source>
+        <target state="new">Ensure that JsonSerializer has a secure configuration when deserializing</target>
+        <note />
+      </trans-unit>
       <trans-unit id="ReviewSQLQueriesForSecurityVulnerabilitiesDescription">
         <source>SQL queries that directly use user input can be vulnerable to SQL injection attacks. Review this SQL query for potential vulnerabilities, and consider using a parameterized SQL query.</source>
         <target state="translated">直接利用使用者輸入的 SQL 查詢，有可能會受到插入 SQL 的攻擊。請檢閱此 SQL 查詢是否有潛在的弱點，並請考慮使用參數化的 SQL 查詢。</target>
diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinderTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinderTests.cs
new file mode 100644
index 0000000000..dc5fd37095
--- /dev/null
+++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/DoNotUseInsecureDeserializerJsonNetWithoutBinderTests.cs
@@ -0,0 +1,255 @@
+// Copyright (c) Microsoft.  All Rights Reserved.  Licensed under the Apache License, Version 2.0.  See License.txt in the project root for license information.
+
+using System;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.Diagnostics;
+using Microsoft.CodeAnalysis.Testing;
+using Test.Utilities;
+using Test.Utilities.MinimalImplementations;
+using Xunit;
+
+namespace Microsoft.NetCore.Analyzers.Security.UnitTests
+{
+    [Trait(Traits.DataflowAnalysis, Traits.Dataflow.PropertySetAnalysis)]
+    public class DoNotUseInsecureDeserializerJsonNetWithoutBinderTests : DiagnosticAnalyzerTestBase
+    {
+        private static readonly DiagnosticDescriptor DefinitelyRule =
+            DoNotUseInsecureDeserializerJsonNetWithoutBinder.DefinitelyInsecureSerializer;
+        private static readonly DiagnosticDescriptor MaybeRule =
+            DoNotUseInsecureDeserializerJsonNetWithoutBinder.MaybeInsecureSerializer;
+
+        [Fact]
+        public void Insecure_JsonSerializer_Deserialize_DefinitelyDiagnostic()
+        {
+            this.VerifyCSharpWithJsonNet(@"
+using Newtonsoft.Json;
+
+class Blah
+{
+    object Method(JsonReader jr)
+    {
+        JsonSerializer serializer = new JsonSerializer();
+        serializer.TypeNameHandling = TypeNameHandling.All;
+        return serializer.Deserialize(jr);
+    }
+}",
+                GetCSharpResultAt(10, 16, DefinitelyRule));
+        }
+
+        [Fact]
+        public void ExplicitlyNone_JsonSerializer_Deserialize_NoDiagnostic()
+        {
+            this.VerifyCSharpWithJsonNet(@"
+using Newtonsoft.Json;
+
+class Blah
+{
+    object Method(JsonReader jr)
+    {
+        JsonSerializer serializer = new JsonSerializer();
+        serializer.TypeNameHandling = TypeNameHandling.None;
+        return serializer.Deserialize(jr);
+    }
+}");
+        }
+
+        [Fact]
+        public void AllAndBinder_JsonSerializer_Deserialize_NoDiagnostic()
+        {
+            this.VerifyCSharpWithJsonNet(@"
+using System;
+using Newtonsoft.Json;
+
+class Blah
+{
+    private Func<ISerializationBinder> SbGetter;
+
+    object Method(JsonReader jr)
+    {
+        ISerializationBinder sb = SbGetter();
+        if (sb != null)
+        {
+            JsonSerializer serializer = new JsonSerializer();
+            serializer.TypeNameHandling = TypeNameHandling.All;
+            serializer.SerializationBinder = sb;
+            return serializer.Deserialize(jr);
+        }
+        else
+        {
+            return null;
+        }
+    }
+}");
+        }
+
+        [Fact]
+        public void InitializeField_JsonSerializer_Diagnostic()
+        {
+            this.VerifyCSharpWithJsonNet(@"
+using Newtonsoft.Json;
+
+class Blah
+{
+    JsonSerializer MyJsonSerializer;
+
+    void Init()
+    {
+        this.MyJsonSerializer = new JsonSerializer();
+        this.MyJsonSerializer.TypeNameHandling = TypeNameHandling.All;
+    }
+}",
+                GetCSharpResultAt(10, 9, DefinitelyRule));
+        }
+
+        [Fact]
+        public void Insecure_JsonSerializer_Populate_MaybeDiagnostic()
+        {
+            this.VerifyCSharpWithJsonNet(@"
+using System;
+using Newtonsoft.Json;
+
+class Blah
+{
+    private Func<ISerializationBinder> SbGetter;
+
+    object Method(JsonReader jr)
+    {
+        JsonSerializer serializer = new JsonSerializer();
+        serializer.TypeNameHandling = TypeNameHandling.All;
+        serializer.SerializationBinder = SbGetter();
+        object o = new object();
+        serializer.Populate(jr, o);
+        return o;
+    }
+}",
+                GetCSharpResultAt(15, 9, MaybeRule));
+        }
+
+        [Fact]
+        public void Insecure_JsonSerializer_DeserializeGeneric_MaybeDiagnostic()
+        {
+            this.VerifyCSharpWithJsonNet(@"
+using System;
+using Newtonsoft.Json;
+
+class Blah
+{
+    private Func<ISerializationBinder> SbGetter;
+
+    T Method<T>(JsonReader jr)
+    {
+        JsonSerializer serializer = new JsonSerializer();
+        serializer.TypeNameHandling = TypeNameHandling.All;
+        serializer.SerializationBinder = SbGetter();
+        return serializer.Deserialize<T>(jr);
+    }
+}",
+                GetCSharpResultAt(14, 16, MaybeRule));
+        }
+
+        // Ideally, we'd transfer the JsonSerializerSettings' TypeNameHandling's state to the JsonSerializer's TypeNameHandling's state.
+        [Fact]
+        public void Insecure_JsonSerializer_FromInsecureSettings_DeserializeGeneric_NoDiagnostic()
+        {
+            this.VerifyCSharpWithJsonNet(@"
+using System;
+using Newtonsoft.Json;
+
+class Blah
+{
+    private Func<ISerializationBinder> SbGetter;
+
+    T Method<T>(JsonReader jr)
+    {
+        JsonSerializerSettings settings = new JsonSerializerSettings()
+        {
+            TypeNameHandling = TypeNameHandling.Arrays,
+        };
+        JsonSerializer serializer = JsonSerializer.Create(settings);
+        return serializer.Deserialize<T>(jr);
+    }
+}");
+        }
+
+        [Fact]
+        public void TypeNameHandlingNoneBinderNonNull_JsonSerializer_Populate_NoDiagnostic()
+        {
+            this.VerifyCSharpWithJsonNet(@"
+using System;
+using System.Runtime.Serialization;
+using Newtonsoft.Json;
+
+class Blah
+{
+    private Func<SerializationBinder> SbGetter;
+
+    object Method(JsonReader jr)
+    {
+        SerializationBinder sb = SbGetter();
+        if (sb != null)
+        {
+            JsonSerializer serializer = new JsonSerializer();
+            serializer.Binder = sb;
+            object o = new object();
+            serializer.Populate(jr, o);
+            return o;
+        }
+        else
+        {
+            return null;
+        }
+    }
+}");
+        }
+
+        [Theory]
+        [InlineData("")]
+        [InlineData("dotnet_code_quality.excluded_symbol_names = Method")]
+        [InlineData(@"dotnet_code_quality.CA2329.excluded_symbol_names = Method
+                      dotnet_code_quality.CA2330.excluded_symbol_names = Method")]
+        [InlineData("dotnet_code_quality.dataflow.excluded_symbol_names = Method")]
+        public void EditorConfigConfiguration_ExcludedSymbolNamesOption(string editorConfigText)
+        {
+            DiagnosticResult[] expected = Array.Empty<DiagnosticResult>();
+            if (editorConfigText.Length == 0)
+            {
+                expected = new DiagnosticResult[]
+                {
+                    GetCSharpResultAt(10, 16, DefinitelyRule)
+                };
+            }
+
+            VerifyCSharpAcrossTwoAssemblies(
+                NewtonsoftJsonNetApis.CSharp,
+                @"
+using Newtonsoft.Json;
+
+class Blah
+{
+    object Method(JsonReader jr)
+    {
+        JsonSerializer serializer = new JsonSerializer();
+        serializer.TypeNameHandling = TypeNameHandling.All;
+        return serializer.Deserialize(jr);
+    }
+}",
+                GetEditorConfigAdditionalFile(editorConfigText),
+                expected);
+        }
+
+        protected override DiagnosticAnalyzer GetBasicDiagnosticAnalyzer()
+        {
+            return new DoNotUseInsecureDeserializerJsonNetWithoutBinder();
+        }
+
+        protected override DiagnosticAnalyzer GetCSharpDiagnosticAnalyzer()
+        {
+            return new DoNotUseInsecureDeserializerJsonNetWithoutBinder();
+        }
+
+        private void VerifyCSharpWithJsonNet(string source, params DiagnosticResult[] expected)
+        {
+            this.VerifyCSharpAcrossTwoAssemblies(NewtonsoftJsonNetApis.CSharp, source, expected);
+        }
+    }
+}
diff --git a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/JsonNetTypeNameHandlingTests.cs b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/JsonNetTypeNameHandlingTests.cs
index 4d5337c0af..993eeb7887 100644
--- a/src/Microsoft.NetCore.Analyzers/UnitTests/Security/JsonNetTypeNameHandlingTests.cs
+++ b/src/Microsoft.NetCore.Analyzers/UnitTests/Security/JsonNetTypeNameHandlingTests.cs
@@ -11,7 +11,7 @@ namespace Microsoft.NetCore.Analyzers.Security.UnitTests
 {
     public class JsonNetTypeNameHandlingTests : DiagnosticAnalyzerTestBase
     {
-        private static DiagnosticDescriptor Rule = JsonNetTypeNameHandling.Rule;
+        private static readonly DiagnosticDescriptor Rule = JsonNetTypeNameHandling.Rule;
 
         protected override DiagnosticAnalyzer GetBasicDiagnosticAnalyzer()
         {
diff --git a/src/Test.Utilities/MinimalImplementations/NewtonsoftJsonNetApis.cs b/src/Test.Utilities/MinimalImplementations/NewtonsoftJsonNetApis.cs
index 739f0ec311..1b80d9cfdf 100644
--- a/src/Test.Utilities/MinimalImplementations/NewtonsoftJsonNetApis.cs
+++ b/src/Test.Utilities/MinimalImplementations/NewtonsoftJsonNetApis.cs
@@ -125,6 +125,12 @@ public static JsonSerializer CreateDefault(JsonSerializerSettings settings)
             return null;
         }
 
+        public TypeNameHandling TypeNameHandling { get; set; }
+
+        public SerializationBinder Binder { get; set; }
+
+        public ISerializationBinder SerializationBinder { get; set; }
+
         public object Deserialize(JsonReader reader)
         {
             return null;
diff --git a/tools/Snippets/EditorConfigExcludedSymbolNamesTest.snippet b/tools/Snippets/EditorConfigExcludedSymbolNamesTest.snippet
new file mode 100644
index 0000000000..16ee73b2fb
--- /dev/null
+++ b/tools/Snippets/EditorConfigExcludedSymbolNamesTest.snippet
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="utf-8"?>
+<CodeSnippets xmlns="http://schemas.microsoft.com/VisualStudio/2005/CodeSnippet">
+    <CodeSnippet Format="1.0.0">
+        <Header>
+            <Title>EditorConfig ExcludedSymbolNames unit test</Title>
+            <Description>A unit test template for a Microsoft.CodeAnalysis.FxCopAnalyzers analyzer for excluding symbol names with EditorConfig.</Description>
+            <Shortcut>edcfgtest</Shortcut>
+        </Header>
+        <Snippet>
+            <Code Language="CSharp">
+                <![CDATA[
+        [Theory]
+        [InlineData("")]
+        [InlineData("dotnet_code_quality.excluded_symbol_names = $SymbolName$")]
+        [InlineData(@"dotnet_code_quality.$RuleId$.excluded_symbol_names = $SymbolName$")]
+        [InlineData("dotnet_code_quality.dataflow.excluded_symbol_names = $SymbolName$")]
+        public void EditorConfigConfiguration_ExcludedSymbolNamesOption(string editorConfigText)
+        {
+            var expected = Array.Empty<DiagnosticResult>();
+            if (editorConfigText.Length == 0)
+            {
+                expected = new DiagnosticResult[]
+                {
+                    // *** Insert your expected results for one of your simple unit tests here.
+                };
+            }
+
+            // *** Replace this VerifyCSharp()'s first parameter with one of your simple unit tests.
+            VerifyCSharp(
+                @"",
+                GetEditorConfigAdditionalFile(editorConfigText), 
+                expected);
+        }]]>
+            </Code>
+            <Imports>
+                <Import>
+                    <Namespace>System</Namespace>
+                </Import>
+            </Imports>
+            <Declarations>
+                <Literal>
+                    <ID>RuleId</ID>
+                    <ToolTip>RuleId being tested</ToolTip>
+                    <Default>CA</Default>
+                </Literal>
+                <Literal>
+                    <ID>SymbolName</ID>
+                    <ToolTip>Symbol to be excluded within the unit test's test code.</ToolTip>
+                    <Default>TestMethod</Default>
+                </Literal>
+            </Declarations>
+        </Snippet>
+    </CodeSnippet>
+</CodeSnippets>
\ No newline at end of file