diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 000000000..d4a2dc16c
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+Only the latest versions of Stack's server and client packages are supported. We do not provide security updates for older versions.
+
+## Reporting a Vulnerability
+
+Stack Auth practices [responsible disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure).
+
+Please disclose security vulnerabilities responsibly by emailing us at responsible-disclosure@stack-auth.com. In this case:
+
+- We will get back to you within 96 hours.
+- We will aim to get a fix released within 30 days, and disclose the issue, crediting you.
+- If we are unable to fix the issue within 90 days, we will disclose the issue publicly.
+
+Please do not create GitHub issues with security vulnerabilities; instead, email us directly at the address above.