diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..ccf765629
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,7 @@
+To report a security issue, please
+email [Jujutsu VCS Security](jj-security@googlegroups.com)
+with a description of the issue, the steps you took to create the issue,
+affected versions, and, if known, mitigations for the issue. Our vulnerability
+management team will respond within 3 working days of your email. If the issue
+is confirmed as a vulnerability, we will open a Security Advisory. This project
+follows a 90 day disclosure timeline.