diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..03b3af570
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,12 @@
+# Security Policy
+
+## Supported Versions
+
+- Pachli: the [latest release](https://github.com/pachli/pachli-android/releases/latest)
+- Pachli Current: the [latest release to Google Play](https://github.com/pachli/pachli-android/actions/workflows/upload-orange-release-google-play.yml)
+
+## Reporting a Vulnerability
+
+Please report vulnerabilities through GitHub's [report a vulnerability page](https://github.com/pachli/pachli-android/security/advisories/new).
+
+You should normally receive an initial response within two working days.