diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..352f85f0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+Currently, the `master` branch and the latest release of `jdeploy` are receiving security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| Latest  | :white_check_mark: |
+| < Latest| :x:                |
+
+## Reporting a Vulnerability
+
+Because `jdeploy` handles privileged execution contexts, code signing certificates, and downstream installation bundles, security is a top priority. 
+
+If you discover a vulnerability, please **do not open a public issue.** Instead, please report it via [GitHub Private Vulnerability Reporting](https://docs.github.com/en/code-security/security-advisories/repository-security-advisories/privately-reporting-a-security-vulnerability) (if enabled by the maintainers) or contact the maintainers directly.
+
+### Disclosure Timeline
+We follow standard industry Coordinated Vulnerability Disclosure (CVD) practices. Reporters are expected to provide a **90-day** window for remediation before public disclosure or CVE publication.