diff --git a/README.md b/README.md
index 50fd4b8..11d2bd0 100644
--- a/README.md
+++ b/README.md
@@ -162,8 +162,11 @@ Please refer to the [release page](https://github.com/actions/checkout/releases/
     github-server-url: ''
 
     # Required to check out fork pull request code from a workflow triggered by
-    # `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link) for
-    # the risks. Set to `true` only after reviewing the risks.
+    # `pull_request_target` or `workflow_run`. These workflows run with the base
+    # repository's GITHUB_TOKEN, secrets, default-branch cache scope, and runner
+    # access; fetching a fork's code in that trusted context is the "pwn request"
+    # supply-chain attack pattern. Set to `true` only after reviewing the risks at
+    # https://gh.io/allow-unsafe-pr-checkout.
     # Default: false
     allow-unsafe-pr-checkout: ''
 ```
diff --git a/action.yml b/action.yml
index d69cdc1..a2a5a1d 100644
--- a/action.yml
+++ b/action.yml
@@ -101,8 +101,11 @@ inputs:
   allow-unsafe-pr-checkout:
     description: >
       Required to check out fork pull request code from a workflow triggered by
-      `pull_request_target` or `workflow_run`. See [Pwn Requests](todo:need-link)
-      for the risks. Set to `true` only after reviewing the risks.
+      `pull_request_target` or `workflow_run`. These workflows run with the
+      base repository's GITHUB_TOKEN, secrets, default-branch cache scope, and
+      runner access; fetching a fork's code in that trusted context is a
+      "pwn request" supply-chain attack pattern. Set to `true` only after
+      reviewing the risks at https://gh.io/allow-unsafe-pr-checkout.
     default: false
 outputs:
   ref:
diff --git a/dist/index.js b/dist/index.js
index cc237ad..1e0b022 100644
--- a/dist/index.js
+++ b/dist/index.js
@@ -2833,8 +2833,9 @@ function assertSafePrCheckout(input) {
     throw new Error(`Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
         `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
         `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
-        `"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
-        `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`);
+        `"pwn request" supply-chain attack pattern. To opt in after reviewing the risks at ` +
+        `https://gh.io/allow-unsafe-pr-checkout, set 'allow-unsafe-pr-checkout: true' on the ` +
+        `actions/checkout step.`);
 }
 function pushIfSha(target, value) {
     if (typeof value === 'string' && value.length > 0) {
diff --git a/src/unsafe-pr-checkout-helper.ts b/src/unsafe-pr-checkout-helper.ts
index 9d4c0d5..7992caf 100644
--- a/src/unsafe-pr-checkout-helper.ts
+++ b/src/unsafe-pr-checkout-helper.ts
@@ -75,8 +75,9 @@ export function assertSafePrCheckout(input: IUnsafePrCheckoutInput): void {
     `Refusing to check out fork pull request code from a '${eventName}' workflow. ` +
       `This workflow runs with the base repository's GITHUB_TOKEN, secrets, default-branch ` +
       `cache scope, and runner access. Fetching fork's code in that trusted context is a ` +
-      `"pwn request" supply-chain attack pattern. To opt in after reviewing the risk, set ` +
-      `'allow-unsafe-pr-checkout: true' on the actions/checkout step.`
+      `"pwn request" supply-chain attack pattern. To opt in after reviewing the risks at ` +
+      `https://gh.io/allow-unsafe-pr-checkout, set 'allow-unsafe-pr-checkout: true' on the ` +
+      `actions/checkout step.`
   )
 }