diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..065605150
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+Security Policy
+---------------
+
+### Supported Versions
+
+Only the latest version is actively supported.
+
+## Reporting a Vulnerability
+
+Please report possible vulnerabilities by email to devops@rhymix.org.
+Please DO NOT use GitHub issues or pull requests for this purpose.
+
+We do not consider it a vulnerability if the superuser (is_admin=Y) account
+can insert scripts or delete information. That's what the superuser account is for!
+It will, however, be considered a serious vulnerability if someone else can
+trick a superuser to perform such actions inadvertently,
+for example through a CSRF attack.