diff --git a/README.md b/README.md
index 4346317..8c43de8 100644
--- a/README.md
+++ b/README.md
@@ -140,6 +140,11 @@ information contained in the token via the following instance methods:
 * `locale`
 
 
+## Security
+
+For information on our security response procedure, see [SECURITY.md](SECURITY.md).
+
+
 ## License
 
 Google Sign-In for Rails is released under the [MIT License](https://opensource.org/licenses/MIT).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..c15194f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Google-Sign in for Rails: Security
+
+Security is of utmost importance in an authentication library like Google Sign-In for Rails. We at Basecamp use this plugin in our own apps, so we have a vested interest in investigating and mitigating all reported vulnerabilities. We welcome responsible security reviews and reports from our peers in the open-source software community and strive to acknowledge such valuable contributions.
+
+
+## Reporting a vulnerability
+
+Send urgent or sensitive reports to **<security@basecamp.com>**. If necessary, use our [public key] to protect your message and provide us with a secure way to respond. We’ll get back to you as soon as we can—usually within one business day. Please follow up or [ping us on Twitter][twitter] if you don’t hear back. For non-urgent or non-sensitive requests, please contact our [support team][support].
+
+Read more about our security response policy [on our website][policy].
+
+[public key]: https://basecamp.com/about/policies/security/Basecamp-security.pub
+[twitter]: https://twitter.com/basecamp
+[support]: https://basecamp.com/support
+[policy]: https://basecamp.com/about/policies/security/response