diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..dc1fd1b
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security Policy
+This is the security notice for MHSF. The policy explains how vulnerabilities should be reported.
+
+## Reporting a Vulnerability
+If you've found a vulnerability, we would like to know so we can fix it before it is released publicly. **Do not open a GitHub issue for a found vulnerability.**
+
+Send details to either *a)* `support@mhsf.app` or *b)* GitHub Security (`Security` tab -> `Report a vulnerability`) including:
+
+- the website, page or repository where the vulnerability can be observed
+- a brief description of the vulnerability
+- optionally the type of vulnerability and any related [OWASP category](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project)
+- non-destructive exploitation details
+
+We will do our best to reply as fast as possible.
+
+## Scope
+The following vulnerabilities are not in scope:
+
+- volumetric vulnerabilities, for example overwhelming a service with a high volume of requests
+- reports indicating that our services do not fully align with "best practice", for example missing security headers
+
+If you aren't sure, you can still reach out via email or direct message.
+
+---
+
+This notice is inspired by the [Python Discord Security Notice](https://www.pythondiscord.com/pages/security-notice/).