diff --git a/README.md b/README.md
index 779decc9c6d7..e39781e35699 100644
--- a/README.md
+++ b/README.md
@@ -50,7 +50,7 @@ $ npm install --save tedious # Microsoft SQL Server
 - [Contributing](https://github.com/sequelize/sequelize/blob/master/CONTRIBUTING.md)
 
 ## Responsible disclosure
-If you have any security issue to report, contact project maintainers privately. You can find contact information in [CONTACT.md](https://github.com/sequelize/sequelize/blob/master/CONTACT.md).
+If you have security issues to report please refer to our [Responsible Disclosure Policy](./SECURITY.md) for more details.
 
 ## Resources
 
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000000..4550acfe6247
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,44 @@
+# Security Policy
+
+## Supported versions
+
+The following table describes the versions of this project that are currently supported with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.x   | :white_check_mark:   |
+| 4.x   | :white_check_mark:   |
+| 5.x   | :white_check_mark:   |
+
+## Responsible disclosure security policy
+
+A responsible disclosure policy helps protect users of the project from publicly disclosed security vulnerabilities
+without a fix by employing a process where vulnerabilities are first triaged in a private manner, and only publicly
+disclosed after a reasonable time period that allows patching the vulnerability and provides an upgrade path for users.
+
+When contacting us directly via email, we will do our best efforts to respond in a reasonable time to resolve the issue.
+When contacting a security program their disclosure policy will provide details on timeframe, processes and paid bounties.
+
+We kindly ask you to refrain from malicious acts that put our users, the project, or any of the project’s team members at
+risk.
+
+## Reporting a security issue
+
+At Sequelize, we consider the security of our systems a top priority. But no matter how much effort we put into system
+security, there can still be vulnerabilities present.
+
+If you discover a security vulnerability, please use one of the following means of communications to report it to us:
+
+* Report the security issue to the Node.js Security WG through the 
+[HackerOne program](https://hackerone.com/nodejs-ecosystem) for ecosystem modules on npm, or to
+[Snyk Security Team](https://snyk.io/vulnerability-disclosure). They will help triage the security issue and work with
+all involved parties to remediate and release a fix.
+
+Note that time-frame and processes are subject to each program’s own policy.
+
+* Report the security issue to the [project maintainers](./CONTACT.md) directly. If the report contains
+highly sensitive information, you should consider reporting to one of the above mentioned disclosure programs that allow
+sending the report over a secure medium.
+
+Your efforts to responsibly disclose your findings are sincerely appreciated and will be taken into account to acknowledge
+your contributions.