diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 0000000000..69dd504e5f
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,9 @@
+# Reporting a security vulnerability
+
+NodeBB's security policy is based around a private bug bounty program. Users are invited to explore NodeBB for vulnerabilities, and report them to the NodeBB team so that they can be patched.
+
+If you have found a security vulnerability, **do not post it onto our GitHub tracker**. Some security vulnerabilities are quite severe and discretion is recommended. Email the NodeBB Security Team at security@nodebb.org, instead.
+
+# Bug Bounty Program
+
+Security vulnerability reports may be eligible for a bounty based on severity and confirmation from NodeBB team members. For full details regarding our bug bounty program, including the bounty amounts, please consult the following page: https://blog.nodebb.org/bounty
\ No newline at end of file