diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..8f64129
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security Policy
+
+## Supported Versions
+
+Security support is defined by the maintainers of this repository.
+
+In general:
+- Current stable/release branches: supported
+- End-of-life (EOL) releases: unsupported
+
+## Reporting a Vulnerability
+
+Please do not open public issues or pull requests for security vulnerabilities.
+
+Preferred channel:
+- Use GitHub “Report a vulnerability” (Security Advisories / Private Vulnerability Reporting), if enabled on this repository.
+
+If GitHub reporting is not available:
+- Contact the vendor’s official security/PSIRT channel (maintainers define).
+
+Please include:
+- Affected component(s) and version(s)
+- Impact description + CVSS v3.1 vector (if possible)
+- Reproduction steps (HTTP request / curl / minimal script)
+- Configuration/network assumptions
+- Evidence (logs/screenshots), without real secrets