diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..da90c1a5
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+If you believe you've found a security vulnerability in KTX, please report it
+**privately** through GitHub Security Advisories:
+
+[Report a vulnerability](https://github.com/Kaelio/ktx/security/advisories/new)
+
+If you cannot use GitHub Security Advisories, email `support@kaelio.com`
+instead. Please do **not** open a public issue, post in the KTX Slack, or
+share details elsewhere until we have published a fix.
+
+When reporting, please include:
+
+- A description of the issue and its impact
+- Steps to reproduce
+- The KTX version affected
+
+## What to expect
+
+- We will acknowledge your report within a few business days.
+- We will work with you to verify the issue and develop a fix.
+- We will credit you in the resulting advisory unless you prefer to remain
+  anonymous.
+
+## Supported versions
+
+We provide security fixes for the latest released version of
+[`@kaelio/ktx`](https://www.npmjs.com/package/@kaelio/ktx). Older versions
+may receive fixes at the maintainers' discretion.