diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..2430202
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+## Supported Versions
+
+Version of the server used should be included when reporting vulnerabilities,
+however please try to use the latest versions if you are the server admin.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 0.5.x   | :white_check_mark: |
+
+
+## Reporting a Vulnerability
+
+Send an email to **hedy at tilde dot cafe**.
+
+Do NOT use my public inbox on lists.sr.ht or tell me publicly since other public
+servers running on spsrv (not only yours) could be prone to the same issue.
+
+=> [mailto link](mailto:hedy@tilde.cafe)
+
+You can expect emails to be read within a week, and I will reply promply to indicate when
+I'll be able to work on a fix, if possible.