diff --git a/README.md b/README.md
index 3d3b177bba..e079e6535d 100644
--- a/README.md
+++ b/README.md
@@ -15,6 +15,9 @@ bridge. Right there's an ongoing work to make our bridge work with XCM messages.
 available at [encoded-calls-messaging](https://github.com/paritytech/parity-bridges-common/releases/tag/encoded-calls-messaging)
 tag.
 
+**IMPORTANT**: some portions of the code is still in active development and need proper review and
+security audit. You may find details in the [REVIEW-STATUS.md](./REVIEW-STATUS.md) document.
+
 ## Contents
 
 - [Installation](#installation)
diff --git a/REVIEW-STATUS.md b/REVIEW-STATUS.md
new file mode 100644
index 0000000000..6f0eb9f399
--- /dev/null
+++ b/REVIEW-STATUS.md
@@ -0,0 +1,15 @@
+## Merged pull requests that need reviews
+
+## Code that need security audit
+
+- the whole [parachains finality pallet](./modules/parachains);
+- the whole [relayers pallet](./modules/relayers);
+- parts of the [bridge-runtime-common crate](./bin/runtime-common). They are likely to be removed, though;
+- [CheckBridgedBlockNumber signed extension to reject duplicate header-submit transactions](https://github.com/paritytech/parity-bridges-common/pull/1352);
+- [remove duplicate parachain heads exension](https://github.com/paritytech/parity-bridges-common/pull/1444);
+- [Signed extension for rejecting obsolete messages pallet transactions](https://github.com/paritytech/parity-bridges-common/pull/1446).
+
+## Code that may need security audit
+
+- [Remove without_storage_info for messages pallet](https://github.com/paritytech/parity-bridges-common/pull/1487);
+- [Remove pallet::without_storage_info from bridge GRANDPA pallet](https://github.com/paritytech/parity-bridges-common/pull/1478).
\ No newline at end of file