diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..c8f7c6b
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,18 @@
+# Security Policy
+
+## Supported Versions
+
+We're aiming to only support the latest major version of log4js. Older than that is usually *very* old.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 6.x     | :white_check_mark: |
+| < 6.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Report vulnerabilities via email to:
+
+* Gareth Jones <gareth.nomiddlename@gmail.com>
+
+Please put "[log4js:security]" in the subject line. We will aim to respond within a day or two.