diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..20431de
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,51 @@
+# smtprelay Security Policy
+
+This document outlines security procedures and general policies for the
+smtprelay project.
+
+## Supported Versions
+
+The latest release is the only supported release.
+
+
+## Disclosing a security issue
+
+The smtprelay maintainers take all security issues in the project seriously.
+Thank you for improving the security of the project! We appreciate your
+dedication to responsible disclosure and will make every effort to acknowledge
+your contributions.
+
+smtprelay leverages GitHub's private vulnerability reporting.
+
+To learn more about this feature and how to submit a vulnerability report,
+review [GitHub's documentation on private reporting](https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability).
+
+Here are some helpful details to include in your report:
+
+- a detailed description of the issue
+- the steps required to reproduce the issue
+- versions of the project that may be affected by the issue
+- if known, any mitigations for the issue
+
+A maintainer will acknowledge the report within three (3) business days, and
+will send a more detailed response within an additional three (3) business days
+indicating the next steps in handling your report.
+
+After the initial reply to your report, the maintainers will endeavor to keep
+you informed of the progress towards a fix and full announcement, and may ask
+for additional information or guidance.
+
+## Vulnerability management
+
+When the maintainers receive a disclosure report, they will coordinate the
+fix and release process, which involves the following steps:
+
+- confirming the issue
+- determining affected versions of the project
+- auditing code to find any potential similar problems
+- preparing fixes for all releases under maintenance
+
+## Suggesting changes
+
+If you have suggestions on how this process could be improved please submit an
+issue or pull request.