diff --git a/src/receive_imf.rs b/src/receive_imf.rs
index 29e85527c..012ad29b9 100644
--- a/src/receive_imf.rs
+++ b/src/receive_imf.rs
@@ -3507,8 +3507,10 @@ async fn apply_out_broadcast_changes(
     } else if let Some(added_addr) = mime_parser.get_header(HeaderDef::ChatGroupMemberAdded) {
         // TODO this may lookup the wrong contact if multiple contacts have the same email addr.
         // We can send sync messages instead,
-        // lookup the fingerprint by gossip header (like it's done for groups right now)
-        // or add a header ChatGroupMemberAddedFpr.
+        // lookup the fingerprint by gossip header (like it's done for groups right now),
+        // add a header ChatGroupMemberAddedFpr,
+        // or only handle addition on receival of Bob's request message and solve the problem in a different way for member-removed.
+        // --> link2xt said to probably handle addition on receival of Bob's request message, and to add a header ChatGroupMemberRemovedFpr.
         let contact = lookup_key_contact_by_address(context, added_addr, None).await?;
         if let Some(contact) = contact {
             better_msg.get_or_insert(
diff --git a/src/securejoin.rs b/src/securejoin.rs
index 80e31477f..4132382b7 100644
--- a/src/securejoin.rs
+++ b/src/securejoin.rs
@@ -292,6 +292,8 @@ pub(crate) async fn handle_securejoin_handshake(
 
     // TODO talk with link2xt about whether we need to protect against this identity-misbinding attack,
     // and if so, how
+    // -> just put Alice's fingerprint into a header (can't put the gossip header bc we don't have this)
+    // -> or just ignore the problem for now - we will need to solve it for all messages anyways: https://github.com/chatmail/core/issues/7057
     if !matches!(
         step,
         "vg-request" | "vc-request" | "vb-request-with-auth" | "vb-member-added"