remkop · remkop · Jan 31, 2022 · Jan 31, 2022 · Jan 31, 2022
diff --git a/RELEASE-NOTES.md b/RELEASE-NOTES.md
@@ -51,6 +51,7 @@ Picocli follows [semantic versioning](http://semver.org/).
 * [#1544][#1545] DOC: Add NOTICE file with GPL v2 + CPE license. Thanks to [Keith M Swartz](https://github.com/kswartz26) for the pull request.
 * [#1553] SECURITY: Fix code scanning alert - Token-Permissions
 * [#1554] SECURITY: Fix code scanning alert - Pinned-Dependencies
+* [#1555] SECURITY: Fix code scanning alert - Create SECURITY.md 
 * [#1491] BUILD: Add build job in CI; Thanks to [Goooler](https://github.com/Goooler) for the pull request.
 * [#1482] BUILD: Optimize gradle; Thanks to [Goooler](https://github.com/Goooler) for the pull request.
 * [#1461] BUILD: Allow publishing without signing for non-release versions. Thanks to [Andreas Deininger](https://github.com/deining) for raising this.

diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report vulnerabilities you find in picocli to:
+
+```
+rpopma at apache.org
+```
+
+Anyone can send email to this address.
+The resolution of any reported security issues will be handled in confidence.
+In your report, please note how you would like to be credited for discovering the issue.
+
+## Supported Versions
+
+| Version       | Supported          |
+| ------------- | ------------------ |
+| latest 4.x.x  | :white_check_mark: |
+| older 4.x.x   | :x:                |
+| < 4.0         | :x:                |
+
+## Why follow this process
+Due to the sensitive nature of security bugs, the disclosure process is more constrained than a regular bug.
+We appreciate you following these industry accepted guidelines, which gives time for a proper fix and limit the time window of attack.
+