diff --git a/tensorflow/security/advisory/tfsa-2020-027.md b/tensorflow/security/advisory/tfsa-2020-027.md
new file mode 100644
index 00000000000..e2c87c97953
--- /dev/null
+++ b/tensorflow/security/advisory/tfsa-2020-027.md
@@ -0,0 +1,52 @@
+## TFSA-2020-027: Segfault in `tf.quantization.quantize_and_dequantize`
+
+### CVE Number
+CVE-2020-15265
+
+### Impact
+An attacker can pass an invalid `axis` value to
+`tf.quantization.quantize_and_dequantize`:
+
+```python
+tf.quantization.quantize_and_dequantize(
+    input=[2.5, 2.5], input_min=[0,0], input_max=[1,1], axis=10)
+```
+
+This results in accessing [a dimension outside the rank of the input
+tensor](https://github.com/tensorflow/tensorflow/blob/0225022b725993bfc19b87a02a2faaad9a53bc17/tensorflow/core/kernels/quantize_and_dequantize_op.cc#L74)
+in the C++ kernel implementation:
+```cc
+const int depth = (axis_ == -1) ? 1 : input.dim_size(axis_);
+```
+
+However, [`dim_size` only does a
+`DCHECK`](https://github.com/tensorflow/tensorflow/blob/0225022b725993bfc19b87a02a2faaad9a53bc17/tensorflow/core/framework/tensor_shape.cc#L292-L307)
+to validate the argument and then uses it to access the corresponding element of
+an array:
+```cc
+int64 TensorShapeBase<Shape>::dim_size(int d) const {
+  DCHECK_GE(d, 0);
+  DCHECK_LT(d, dims());
+  DoStuffWith(dims_[d]);
+}
+```
+
+Since in normal builds, `DCHECK`-like macros are no-ops, this results in
+segfault and access out of bounds of the array.
+
+### Patches
+
+We have patched the issue in
+[eccb7ec454e6617738554a255d77f08e60ee0808](https://github.com/tensorflow/tensorflow/commit/eccb7ec454e6617738554a255d77f08e60ee0808)
+and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
+packages after this commit will also have the issue resolved.
+
+### For more information
+Please consult [our security
+guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
+more information regarding the security model and how to contact us with issues
+and questions.
+
+### Attribution
+This vulnerability has been reported in
+[#42105](https://github.com/tensorflow/issues/42105).
diff --git a/tensorflow/security/advisory/tfsa-2020-028.md b/tensorflow/security/advisory/tfsa-2020-028.md
new file mode 100644
index 00000000000..a69df53a77e
--- /dev/null
+++ b/tensorflow/security/advisory/tfsa-2020-028.md
@@ -0,0 +1,27 @@
+## TFSA-2020-028: Float cast overflow undefined behavior
+
+### CVE Number
+CVE-2020-15266
+
+### Impact
+When the `boxes` argument of `tf.image.crop_and_resize` has a very large value,
+the CPU kernel implementation receives it as a C++ `nan` floating point value.
+Attempting to operate on this is undefined behavior which later produces a
+segmentation fault.
+
+### Patches
+
+We have patched the issue in
+[c0319231333f0f16e1cc75ec83660b01fedd4182](https://github.com/tensorflow/tensorflow/commit/c0319231333f0f16e1cc75ec83660b01fedd4182)
+and will release TensorFlow 2.4.0 containing the patch. TensorFlow nightly
+packages after this commit will also have the issue resolved.
+
+### For more information
+Please consult [our security
+guide](https://github.com/tensorflow/tensorflow/blob/master/SECURITY.md) for
+more information regarding the security model and how to contact us with issues
+and questions.
+
+### Attribution
+This vulnerability has been reported in
+[#42129](https://github.com/tensorflow/issues/42129).