diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..6e1e5a2
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,16 @@
+# Security Policy
+
+Please do not report suspected security vulnerabilities in public GitHub
+issues.
+
+To report a vulnerability privately, email the project contacts listed in the
+package metadata:
+
+- Cory Benfield <cory@lukasa.co.uk>
+- Thomas Kriechbaumer <thomas@kriechbaumer.name>
+
+Include the affected hpack version, a description of the issue, reproduction
+steps or proof-of-concept details if available, and any known mitigations.
+
+The Hyper project's broader security guidance is documented at
+https://python-hyper.org/en/latest/security.html.