diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..886ddf68e
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+## Reporting a Security Vulnerability
+
+We take the security of our project very seriously. If you have discovered a security vulnerability within this project, we appreciate your cooperation in responsibly disclosing it to us. Please follow the guidelines below to report security issues.
+
+### Responsible Disclosure Policy
+
+To report a security issue, **do not disclose it publicly**. Public disclosure of a security vulnerability can put the entire community at risk. We urge you to keep the issue private until we have had a chance to address it.
+
+### How to Report a Security Vulnerability
+
+If you believe you have found a security vulnerability, please submit your report to us as soon as possible through one of the following methods:
+
+- **Email**: Send your report via email to [jigsaw-code@google.com](mailto:jigsaw-code@google.com). This is the preferred method of contact for security issues.
+- **GitHub Private Report**: Alternatively, you can submit a private vulnerability report through our GitHub repository by visiting this link: [Private Vulnerability Report](https://github.com/Jigsaw-Code/outline-server/security/advisories/new).
+
+### Information to Include in Your Report
+
+Your report should be clear and include as much information as possible to help us understand the nature and severity of the issue. Please include the following:
+
+- **Description of the Vulnerability**: Provide a detailed description of the vulnerability you have discovered. Explain how it affects the project and the potential impact if exploited.
+- **Steps to Reproduce**: Include detailed steps on how to reproduce the issue. This will help us to quickly verify the problem and work on a fix.
+
+### After You Report
+
+Once you have reported a security issue, we will acknowledge your email within a reasonable time frame. Our security team will then work on verifying the issue and determining its impact. We may contact you for further information if needed.
+
+We ask for your patience as we work to resolve the security issue. Once the issue is addressed, we will notify you, and depending on the severity and nature of the vulnerability, we may publicly acknowledge your contribution to improving the security of our project.
+
+Thank you for helping us keep our project and the community safe.