diff --git a/README.md b/README.md
index 76fe7f6d3eafb98d463db1e27405fd2466114a59..485ad41de7606b8d9ffb68d687f7296e96a61925 100755
--- a/README.md
+++ b/README.md
@@ -32,10 +32,14 @@ the demo page: `Admin / ipamadmin`
 Community maintained docker images are available at https://hub.docker.com/u/phpipam
 
 ## Changelog
-See misc/CHANGELOG
+See [misc/CHANGELOG](misc/CHANGELOG)
 
 ## Roadmap
-See misc/Roadmap
+See [misc/Roadmap](misc/Roadmap)
+
+## Security
+
+See [SECURITY.md](SECURITY.md)
 
 ## Contact
 miha.petkovsek@gmail.com
@@ -46,4 +50,4 @@ that is used for development of phpIPAM and for demo site.
 And also to all users that filed a bug report / feature report and helped with feature testing!
 
 ## License
-phpIPAM is released under the GPL v3 license, see misc/gpl-3.0.txt.
+phpIPAM is released under the GPL v3 license, see [misc/gpl-3.0.txt](misc/gpl-3.0.txt).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000000000000000000000000000000000..430594b3b5525efbeae6788815ccc534fa3b30d0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,20 @@
+# Security Policy
+
+## Supported Versions
+
+The development branch and non-obsolete production branches listed in [README.md](README.md) are supported with security updates.
+
+Issues only in feature testing (non-production) branches should be reported via the GitHub issue tracker.
+
+## Reporting a Vulnerability
+
+Please report suspected security vulnerabilities to the contacts below. We will aim to acknowledge your email within 48 hours but could be longer (holidays etc...)
+
+- Gary Allan (maintainer) github@gallan.co.uk
+- Miha Petkovsek (owner) miha.petkovsek@gmail.com
+
+## Guidelines
+
+CVE numbers will not be provided by the phpIPAM project due to lack of resources to manage their lifecycle. If you require a CVE number please obtain prior to reporting a vulnerability and include with your submission.
+
+Issues that are the responsibility of end-users such as use of weak passwords or choice to deploy with HTTP vs HTTPS will be rejected.
\ No newline at end of file