diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..59758ba
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,42 @@
+# Security Policy
+
+We take the security of SecureLens and the codebases it scans seriously. This document details how to report vulnerabilities, which versions are supported, and our disclosure process.
+
+---
+
+## Supported Versions
+
+Security updates are actively backported to the current major version. We recommend all users upgrade to the latest stable release of SecureLens to receive security patches.
+
+| Version | Supported |
+|---|---|
+| 1.x.x | Yes |
+| < 1.0.0 | No |
+
+---
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in SecureLens, please do not open a public GitHub issue. Public issues allow zero-day exploits to be used before patches are available.
+
+Instead, report vulnerabilities through one of the following methods:
+* **Private Vulnerability Reporting:** Submit a draft security advisory directly on GitHub via the Security tab.
+* **Email:** Send details of the issue to security@securelens.io.
+
+### What to Include in Your Report
+
+To help us triage and patch the issue quickly, please include:
+* A detailed description of the vulnerability and its potential impact.
+* Step-by-step instructions or a proof-of-concept (PoC) to reproduce the issue.
+* The version of SecureLens (both backend and CLI) and dependencies used.
+* Any potential mitigation steps you have identified.
+
+---
+
+## Our Security Response Process
+
+Once a vulnerability report is received:
+1. **Acknowledgement:** We will acknowledge receipt of your report within 48 hours.
+2. **Triage:** We will investigate and verify the vulnerability. We may contact you for further details or clarification.
+3. **Patch Development:** We will develop a fix for the vulnerability.
+4. **Coordination & Disclosure:** We will work with you to coordinate a release date for the security update. We aim to publish a patched release and advisory within 30 days of validation.