diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000000..13a07e45ebdbc
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Security policy
+
+## Reporting a vulnerability
+
+If you have found a possible vulnerability, please email `security at astral dot sh`.
+
+## Bug bounties
+
+While we sincerely appreciate and encourage reports of suspected security problems, please note that
+Astral does not currently run any bug bounty programs.
+
+## Vulnerability disclosures
+
+Critical vulnerabilities will be disclosed via GitHub's
+[security advisory](https://github.com/astral-sh/ruff/security) system.