diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..c7e61fe9
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,33 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them via email to: **security@gsd.build** (or DM @glittercowboy on Discord/Twitter if email bounces)
+
+Include:
+- Description of the vulnerability
+- Steps to reproduce
+- Potential impact
+- Any suggested fixes (optional)
+
+## Response Timeline
+
+- **Acknowledgment**: Within 48 hours
+- **Initial assessment**: Within 1 week
+- **Fix timeline**: Depends on severity, but we aim for:
+  - Critical: 24-48 hours
+  - High: 1 week
+  - Medium/Low: Next release
+
+## Scope
+
+Security issues in the GSD codebase that could:
+- Execute arbitrary code on user machines
+- Expose sensitive data (API keys, credentials)
+- Compromise the integrity of generated plans/code
+
+## Recognition
+
+We appreciate responsible disclosure and will credit reporters in release notes (unless you prefer to remain anonymous).