diff --git a/README.md b/README.md
index af9c409..7ef6c75 100644
--- a/README.md
+++ b/README.md
@@ -117,6 +117,10 @@ Add these hooks to your Claude Code config (`.claude/settings.json`) to auto-tra
 
 See [HOOKS.md](HOOKS.md) for detailed configuration options and troubleshooting.
 
+## Security
+
+To report a security vulnerability, use GitHub private vulnerability reporting. Do not open a public issue. See [SECURITY.md](SECURITY.md) for the reporting process.
+
 ## Tech Stack
 
 - **Backend**: Express 5, SQLite, Drizzle ORM, node-pty
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..67c8edf
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security issue in this repository, do not open a public GitHub issue.
+
+Please use GitHub's private vulnerability reporting flow for this repository:
+
+- Open the repository's **Security** tab.
+- Go to **Advisories**.
+- Click **Report a vulnerability**.
+- Or go directly to: <https://github.com/alexandrelam/taskforce/security/advisories/new>
+
+Include as much detail as possible:
+
+- A clear description of the issue and its impact
+- Reproduction steps or a proof of concept
+- The affected area, version, branch, or commit if known
+- Any environment details needed to reproduce the issue
+
+We will aim to acknowledge new reports within 5 business days and will work with you on coordinated disclosure.
+
+## Scope
+
+This policy applies to security issues in the application code and repository contents for this project.
+
+## Supported Versions
+
+Security fixes are provided for the latest code on the default branch.