diff --git a/PRIVATE/__no_init__.py b/PRIVATE/__no_init__.py
new file mode 100644
index 0000000..76b8a0c
--- /dev/null
+++ b/PRIVATE/__no_init__.py
@@ -0,0 +1,5 @@
+#! /usr/bin/env python3
+#  -*- coding: utf-8 -*-
+
+# Placeholder to remind this directory should not become a package
+# In order to avoid bundling it with the main package as wheel / bdist
\ No newline at end of file
diff --git a/SECURITY.md b/SECURITY.md
index baa793c..86ed356 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -56,4 +56,8 @@ When set, an external NTP server is used to get the offset. If offset is high en
 
 # NPF-SEC-00011: Default AES key obfuscation
 
-Using obfuscation() symmetric function in order to not store the bare AES key.
\ No newline at end of file
+Using obfuscation() symmetric function in order to not store the bare AES key.
+
+# NPF-SEC-00012: Don't add PRIVATE directory to wheel / bdist builds
+
+The PRIVATE directory might contain alternative AES keys and obfuscation functions which should never be bundled for a PyPI release.
\ No newline at end of file