diff --git a/README.md b/README.md
index da7a670..dc3c6ec 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,8 @@ licensed under the [Apache License, version 2.0](https://www.apache.org/licenses
 
 Because of how Python internally stores numbers, it is very hard (if not impossible) to make a pure-Python program secure against timing attacks. This library is no exception, so use it with care. See https://securitypitfalls.wordpress.com/2018/08/03/constant-time-compare-in-python/ for more info.
 
+For instructions on how to best report security issues, see our [Security Policy](https://github.com/sybrenstuvel/python-rsa/blob/main/SECURITY.md).
+
 ## Setup of Development Environment
 
 ```
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..d1923f4
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security Policy
+
+## Supported Versions
+
+Security updates are applied only to the latest release.
+
+## Reporting a Vulnerability
+
+If you have discovered a security vulnerability in this project, please report it privately. **Do not disclose it as a public issue.** This gives us time to work with you to fix the issue before public exposure, reducing the chance that the exploit will be used before a patch is released.
+
+Please disclose it by email to <sybren@stuvel.eu>.
+
+This project is maintained by a team of volunteers on a reasonable-effort basis. As such, vulnerabilities will be handled and/or disclosed in a best effort base.