diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..2571679
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,20 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+To report a low-risk security vulnerability, please [open an issue](https://github.com/b0o/surfingkeys-conf/issues/new).
+
+To report a medium- to high-risk vulnerability, please email me at `maddy -at- na dot ai`.
+
+Low-risk is loosely defined as a vulnerability that may cause annoyance to the user.
+
+Medium-risk is loosely defined as a vulnerability that may:
+- be used to cause a denial of service to the user, their network, or other networks
+- require an attacker to have physical access to the user's device
+
+High-risk is loosely defined as a vulnerability that may be exploited by a remote attacker to:
+- run arbitrary code on the user's browser or device
+- exfiltrate private data from the user's browser or device
+- cause data loss or damage to the user's browser or device
+
+These are general guidelines; please use your best intuition to decide how to responsibly disclose any security issue.