diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..073040586
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+# Security Policy
+
+## Supported Versions
+
+| Version | Supported          |
+| ------- | ------------------ |
+| master  | :white_check_mark: |
+| 4.x     | :white_check_mark: |
+| 3.x     | :x:                |
+| < 3.0   | :x:                |
+
+## Reporting a Vulnerability
+
+For a [full disclosure](https://en.wikipedia.org/wiki/Full_disclosure_(computer_security)), create a GitHub issue.
+
+For a [coordinated disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure), email golangmigrate@proton.me and then create a GitHub issue notifying the maintainers that there's a new vulnerability (without the details).
+We won't be checking that email address regularly so it's important to also create a GitHub issue to notify us.