diff --git a/abump.in b/abump.in
index 03d1bd0dc1ae85772b9b02be1ebda5aa3f0511db..9d310a39650751b4c7cc11a443956ec6855aec12 100755
--- a/abump.in
+++ b/abump.in
@@ -10,18 +10,22 @@ die() {
 # version bump a pkg
 
 do_bump() {
-	pkgname=${1%-[0-9]*}
-	pkgver=${1#${pkgname}-}
+	local pkgname=${1%-[0-9]*}
+	local pkgver=${1#${pkgname}-}
 
 	APORTS=$HOME/aports
 
 	set -e
 
 	cd $APORTS/*/$pkgname || return 1
-	section=${PWD%/*}
+	local section=${PWD%/*} upgrade="upgrade" cve=
 	section=${section##*/}
+	if [ -n "$cvelist" ]; then
+		upgrade="security upgrade"
+		cve=" ($cvelist)"
+	fi
 
-	msg="$section/$pkgname: upgrade to $pkgver"
+	msg="$section/$pkgname: $upgrade to ${pkgver}${cve}"
 	echo "$msg"
 	
 	( . ./APKBUILD; type package | grep -q function ) || die "package() missing"
@@ -38,21 +42,23 @@ do_bump() {
 
 usage() {
 	echo "$program - utility to bump pkgver in APKBUILDs"
-	echo "usage: $program [-hR]"
+	echo "usage: $program [-hR] [-s CVE-1,CVE-2,...]"
 	echo ""
 	echo "  -h  show this help"
 	echo "  -R  run abuild with -R for recursive building"
 	echo "  -k  keep existing packages"
+	echo "  -s  security update"
 	exit 0
 }
 
 keep=
 recursive="-r"
-while getopts "hkR" opt; do
+while getopts "hkRs:" opt; do
 	case $opt in
 	h) usage;;
 	k) keep="-k";;
 	R) recursive="-R";;
+	s) cvelist="$OPTARG";;
 	esac
 done
 shift $(( $OPTIND - 1))