diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 08c1e21..018d6a5 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -94,8 +94,9 @@ jobs:
       contents: read
     env:
       # Policy: every direct + transitive Go dep must resolve to one of these SPDX ids.
+      # Keep this list sorted by SPDX id; SECURITY.md "License allowlist" must match exactly.
       # See SECURITY.md "Supply-chain policy" for the rationale.
-      ALLOWED_LICENSES: "Apache-2.0,MIT,BSD-2-Clause,BSD-3-Clause,MPL-2.0,ISC,Unlicense"
+      ALLOWED_LICENSES: "0BSD,Apache-2.0,BSD-2-Clause,BSD-3-Clause,BSL-1.0,CC0-1.0,ISC,MIT,MPL-2.0,Unlicense"
     steps:
       - name: Checkout
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
diff --git a/SECURITY.md b/SECURITY.md
index d9b9268..0ee5f1e 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -46,20 +46,23 @@ Every PR — in `common` and in every `*-export-cli` — is gated on a CI workfl
 - `osv-scanner` for transitive vulnerabilities across the OSV database.
 - A license-policy check that allowlists only permissive licenses.
 
-**License allowlist** (SPDX identifiers):
+**License allowlist** (SPDX identifiers, sorted by SPDX id; must match `ALLOWED_LICENSES` in `.github/workflows/security.yml` exactly):
 
+- `0BSD`
 - `Apache-2.0`
-- `MIT`
 - `BSD-2-Clause`
 - `BSD-3-Clause`
-- `MPL-2.0`
+- `BSL-1.0` (Boost Software License — permissive, OSI-approved; **not** the source-available Business Source License — see denylist entry for `BUSL-*`)
+- `CC0-1.0`
 - `ISC`
+- `MIT`
+- `MPL-2.0`
 - `Unlicense`
 
 **License denylist** (blocking; not exhaustive):
 
 - The GPL family — `GPL-*`, `LGPL-*`, `AGPL-*`.
-- `SSPL-*`, `BUSL-*` / `BSL-*`, and other "source-available" licenses.
+- `SSPL-*`, `BUSL-*` (Business Source License — sometimes informally written "BSL"; not to be confused with the permissive `BSL-1.0` Boost above), and other "source-available" licenses.
 - "Custom" or unidentified licenses where the SPDX identifier cannot be resolved.
 
 A PR that introduces a denied license is blocked. To request an exception, open an issue against `quantcli/common` with the dependency name, version, license text, and the rationale. Exceptions are rare and case-by-case.