diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 0000000000..f58390678b
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy
+
+## Scope and Deployment
+
+MagicMirror is primarily intended for trusted local/private network environments.
+Direct public exposure to the internet or other untrusted networks is not recommended.
+
+We take security seriously and encourage responsible disclosure of vulnerabilities to help us improve the software.
+
+## Reporting a Vulnerability
+
+**Please keep vulnerability details private** — do not post them in public GitHub issues.
+
+Instead, reach out privately via the MagicMirror forum to one of the core developers:
+
+- [rejas](https://forum.magicmirror.builders/user/rejas)
+- [karsten13](https://forum.magicmirror.builders/user/karsten13)
+- [sdetweil](https://forum.magicmirror.builders/user/sdetweil)
+- [Kristjan](https://forum.magicmirror.builders/user/kristjanesperanto)
+
+Please include, if possible:
+
+- Affected version(s)
+- Reproduction steps or proof-of-concept
+- What could an attacker do with this?
+- Any ideas how to fix it?
+
+## Coordinated Disclosure
+
+We will keep reported vulnerabilities private until a fix is available and coordinate the disclosure timeline with you.
+We aim to respond as quickly as possible.