diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..571247c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this project, please report it responsibly. Do NOT open a public GitHub issue for security vulnerabilities. Open a private security advisory via GitHub Security tab.
+
+## Response Timeline
+
+- Acknowledgment: within 48 hours
+- Initial assessment: within 7 days
+- Fix or mitigation: depends on severity
+
+## Scope
+
+This repository contains Markdown-based agent definitions and shell scripts for installation and conversion.
+
+### Agent files (.md)
+- Non-executable prompt definitions
+- No API keys, secrets, or credentials should be stored in agent files
+
+### Shell scripts (scripts/)
+- install.sh, convert.sh, and lint-agents.sh are executable
+- Contributors should review scripts for unintended behavior before running
+
+## Best Practices for Contributors
+
+- Never commit API keys, tokens, or credentials
+- Never add executable code inside agent Markdown files
+- Shell scripts must be reviewed before merging
+- Report suspicious agent definitions that attempt prompt injection
+EOFcat SECURITY.md