diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..fb74718
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,38 @@
+# Security
+
+NHS Digital takes security and the protection of private data extremely
+seriously. If you believe you have found a vulnerability or other issue which
+has compromised or could compromise the security of any of our systems and/or
+private data managed by our systems, please do not hesitate to contact us using
+the methods outlined below.
+
+## Reporting a vulnerability
+**PLEASE NOTE: Email and HackerOne are our preferred methods of receiving
+reports.**
+
+### Email
+If you wish to notify us of a vulnerability via email, please include detailed
+information on the nature of the vulnerability and any steps required to
+reproduce it.
+
+You can reach us at:
+* cybersecurity@nhs.net
+* api.management@nhs.net
+
+### HackerOne
+If you are registered with HackerOne and have been admitted to the NHS
+Programme, you can report directly to us at: https://hackerone.com/nhs
+
+### NCSC
+You can send your report to the National Cyber Security Centre, who will assess
+your report and pass it on to NHS Digital if necessary.
+
+You can report vulnerabilities here:
+https://www.ncsc.gov.uk/information/vulnerability-reporting
+
+### OpenBugBounty
+We also accept bug reports via OpenBugBounty: https://www.openbugbounty.org/
+
+## General Security Enquiries
+If you have general enquiries regarding our cyber security, please reach out
+to us at cybersecurity@nhs.net