diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..5f465ffba
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,7 @@
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+If you believe you have found a security vulnerability in OpenPGP.js, please report it via email to [security@openpgpjs.org](mailto:security@openpgpjs.org). If possible, encrypt your message with our PGP key: it can be downloaded automatically using [WKD](https://wiki.gnupg.org/WKD), or manually on [openpgpjs.org](https://openpgpjs.org/.well-known/openpgpkey/hu/t5s8ztdbon8yzntexy6oz5y48etqsnbb?l=security).
+
+You should receive a response within 2 working days.
\ No newline at end of file