diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..5fd2976
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,74 @@
+# Security Policy
+
+## Reporting Security Vulnerabilities
+
+We take security vulnerabilities seriously and appreciate your efforts to responsibly disclose any issues you may find.
+
+### How to Report a Security Vulnerability
+
+If you discover a security vulnerability in Payy, please report it to us through one of the following channels:
+
+**Primary Contact:**
+- Email: security@payy.network
+
+**Alternative Contacts:**
+- Create a private security advisory on GitHub: [Report a vulnerability](https://github.com/polybase/zk-rollup/security/advisories/new)
+- Contact the maintainers directly:
+  - @calummoore
+  - @soru23
+
+### What to Include in Your Report
+
+To help us understand and address the issue quickly, please include:
+
+1. A clear description of the vulnerability
+2. Steps to reproduce the issue
+3. Potential impact assessment
+4. Any suggested fixes or mitigations
+5. Your contact information for follow-up questions
+
+### Response Timeline
+
+- **Acknowledgment**: We will acknowledge receipt of your report within 48 hours
+- **Initial Assessment**: We will provide an initial assessment within 5 business days
+- **Resolution**: We aim to resolve critical vulnerabilities within 30 days
+
+### Responsible Disclosure Guidelines
+
+We ask that you:
+
+- Give us reasonable time to investigate and fix the issue before public disclosure
+- Avoid accessing, modifying, or deleting user data
+- Do not perform actions that could harm the service or its users
+- Do not publicly disclose the vulnerability until we have had a chance to address it
+
+### Bug Bounty Program
+
+We are currently evaluating the establishment of a formal bug bounty program. In the meantime, we will consider rewards for significant security findings on a case-by-case basis.
+
+### Scope
+
+This security policy applies to:
+
+- The Payy zk-rollup protocol
+- Smart contracts deployed on Ethereum
+- Core node implementation
+- Prover and aggregator services
+- Frontend applications
+- API endpoints and RPC services
+
+### Out of Scope
+
+- Third-party dependencies (please report directly to the respective projects)
+- Social engineering attacks
+- Physical security issues
+- Denial of service attacks
+
+### Recognition
+
+We believe in recognizing security researchers who help make Payy safer. With your permission, we will:
+
+- Acknowledge your contribution in our security advisories
+- Add you to our security researchers hall of fame (if you wish)
+
+Thank you for helping keep Payy and our users safe!