diff --git a/README.md b/README.md
index 17e07a7..ff47c94 100644
--- a/README.md
+++ b/README.md
@@ -9,6 +9,9 @@
 
 > Normalize OpenAI, Anthropic and Gemini API errors into one shape: category, retryable flag and `Retry-After` delay. **Zero dependencies.**
 
+Security posture is tracked in [docs/security-posture.md](./docs/security-posture.md),
+including CodeQL, OpenSSF Scorecard, Dependabot and branch rules.
+
 Every LLM provider fails differently. OpenAI nests `{ error: { type, code, param } }`, Anthropic wraps `{ type: "error", error: { type } }`, Gemini speaks Google RPC status strings, and each puts retry hints in a different place. `llm-errors` collapses all of that into a single, predictable object so your retry and error-handling code stays provider-agnostic.
 
 ```ts
diff --git a/docs/security-posture.md b/docs/security-posture.md
new file mode 100644
index 0000000..dede8bb
--- /dev/null
+++ b/docs/security-posture.md
@@ -0,0 +1,20 @@
+# Security posture
+
+`llm-errors` is a zero-runtime-dependency package, but the repository still
+tracks supply-chain controls as part of maintenance.
+
+Current controls:
+
+- MIT license and public security policy.
+- GitHub vulnerability alerts and Dependabot security updates.
+- Secret scanning and push protection.
+- CI on Node 20 and 22.
+- CodeQL analysis for JavaScript/TypeScript.
+- OpenSSF Scorecard workflow with published results.
+- Pinned GitHub Actions and least-privilege workflow permissions.
+- Branch ruleset for `main` requiring CI and CodeQL checks before merge.
+- CODEOWNERS for maintainer review visibility.
+
+Security reports should not be opened as public issues. Use the process in
+[SECURITY.md](../SECURITY.md) or contact
+[sebastian@0a.cl](mailto:sebastian@0a.cl).