diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..130691bc
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Vulnerability Disclosure Policy
+
+This document outlines rrweb's vulnerability disclosure policy.
+
+## Reporting a Vulnerability
+
+Please do not report security vulnerabilities through public GitHub issues.
+Instead, please report them to our GitHub Security page. If you prefer to submit one without using GitHub, you can also email the
+private Google Group rrweb-security@googlegroups.com, which will go to the core team members only. We commit to acknowledging
+vulnerability reports and will work to fix active vulnerabilities as soon as we can (noting this is a community run project).
+
+We will publish resolved vulnerabilities as security advisories on our GitHub security page.
+
+We appreciate your help in making rrweb more secure for everyone.
+Thank you for your support and responsible disclosure.