diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..888f3e7
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+# Security Policy
+
+## Supported Versions
+
+The latest major version of the project is supported with security updates. Previous major versions will also receive security updates for 12 months after the release of their respective next major versions.
+
+## Reporting a Vulnerability
+
+To report a vulnerability, please open a private vulnerability report at the respective repository's security page, e.g. https://github.com/changesets/changesets/security. Please do not report upstream vulnerabilities unless the code is bundled in the package.
+
+A maintainer will respond to your report as soon as possible. Please do not open a public issue for security vulnerabilities.
+
+Thanks for helping us keep our project secure!