diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..cc83b959ac
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,28 @@
+# Security Policy
+
+Security announcements are sent to zulip-announce@googlegroups.com,
+so you should subscribe if you are running Zulip in production.
+
+## Reporting a Vulnerability
+
+We love responsible reports of (potential) security issues in Zulip,
+whether in the latest release or our development branch.
+
+Our security contact is security@zulip.com.  Reporters should expect a
+response within 24 hours.
+
+Please include details on the issue and how you'd like to be credited
+in our release notes when we publish the fix.
+
+Our [security
+model](https://zulip.readthedocs.io/en/latest/production/security-model.html)
+document may be a helpful resource.
+
+## Supported Versions
+
+Zulip provides security support for the latest major release, in the
+form of minor security/maintenance releases.
+
+We work hard to make
+[upgrades](https://zulip.readthedocs.io/en/latest/production/upgrade-or-modify.html#upgrading-to-a-release)
+reliable, so that there's no reason to run older major releases.