diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..d45e4f2
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+## Supported versions
+
+| Version | Supported |
+| ------- | --------- |
+| 0.x     | Yes       |
+
+## Reporting a vulnerability
+
+Please **do not** open a public GitHub issue to report a security vulnerability.
+
+Instead, send a private report to the maintainers via one of these channels:
+
+- **GitHub private vulnerability reporting** — click *Security* → *Report a vulnerability* on this repository (preferred).
+- **Email** — send details to the email address listed in the repository profile. Encrypt your message with our PGP key if the details are sensitive.
+
+### What to include
+
+- A clear description of the vulnerability and its potential impact.
+- Steps to reproduce or a minimal proof-of-concept.
+- The version(s) affected.
+- Any suggested mitigations, if known.
+
+### What to expect
+
+- Acknowledgement of your report within **3 business days**.
+- A status update within **7 business days** confirming whether we have accepted or declined the report.
+- A coordinated public disclosure after a fix is released, crediting you unless you prefer to remain anonymous.
+
+Thank you for helping keep KidWallet safe.