diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..2d114df
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project,
+please report it responsibly.
+
+**Do not open a public issue.** Instead, contact the
+maintainer directly by email or through a
+[private security advisory](https://github.com/finallyjay/selfhosted-docker-services/security/advisories/new).
+
+Please include:
+
+- A description of the vulnerability
+- Steps to reproduce the issue
+- The affected service(s) and version(s)
+
+You can expect an initial response within 72 hours.
+
+## Scope
+
+This policy applies to the Docker Compose configurations
+and related files in this repository. Vulnerabilities in
+upstream container images should be reported to their
+respective maintainers.
+
+## Supported Versions
+
+Only the latest version on the `main` branch is supported.