diff --git a/.github/ISSUE_TEMPLATE.md b/.github/ISSUE_TEMPLATE.md
index bac24aca4..ef1c8f934 100644
--- a/.github/ISSUE_TEMPLATE.md
+++ b/.github/ISSUE_TEMPLATE.md
@@ -3,6 +3,7 @@ Frequently Asked Questions: https://github.com/epoberezkin/ajv/blob/master/FAQ.m
 Please provide all info and reduce your schema and data to the smallest possible size.
 
 This template is for bug or error reports. For other issues please use:
+- security vulnerability: https://tidelift.com/security)
 - a new feature/improvement: http://epoberezkin.github.io/ajv/contribute.html#changes
 - browser/compatibility issues: http://epoberezkin.github.io/ajv/contribute.html#compatibility
 - JSON-Schema standard: http://epoberezkin.github.io/ajv/contribute.html#json-schema
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index eade3b876..c509accca 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -5,6 +5,7 @@ Thank you for your help making Ajv better! Every contribution is appreciated. If
 - [Documentation](#documentation)
 - [Issues](#issues)
   - [Bug reports](#bug-reports)
+  - [Security vulnerabilities](#security-vulnerabilities)
   - [Change proposals](#changes)
   - [Browser and compatibility issues](#compatibility)
   - [Installation and dependency issues](#installation)
@@ -44,6 +45,15 @@ Please include the link to the working code sample at Runkit.com (please clone h
 [Create bug report](https://github.com/epoberezkin/ajv/issues/new?template=bug-or-error-report.md).
 
 
+#### Security vulnerabilities
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure.
+
+Please do NOT report security vulnerability via GitHub issues.
+
+
 #### <a name="changes"></a>Change proposals
 
 [Create a proposal](https://github.com/epoberezkin/ajv/issues/new?template=change.md) for a new feature, option or some other improvement.
diff --git a/README.md b/README.md
index 575861e55..eedb2a9a8 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,11 @@ ajv.addMetaSchema(require('ajv/lib/refs/json-schema-draft-04.json'));
   - [Defining custom keywords](#defining-custom-keywords)
   - [Asynchronous schema compilation](#asynchronous-schema-compilation)
   - [Asynchronous validation](#asynchronous-validation)
-  - [Security considerations](#security-considerations)
+- [Security considerations](#security-considerations)
+  - [Security contact](#security-contact)
+  - [Untrusted schemas](#untrusted-schemas)
+  - [Circular references in objects](#circular-references-in-javascript-objects)
+  - [Trusted schemas](#security-risks-of-trusted-schemas)
 - Modifying data during validation
   - [Filtering data](#filtering-data)
   - [Assigning defaults](#assigning-defaults)
@@ -611,6 +615,13 @@ See [Options](#options).
 JSON Schema, if properly used, can replace data sanitisation. It doesn't replace other API security considerations. It also introduces additional security aspects to consider.
 
 
+##### Security contact
+
+To report a security vulnerability, please use the
+[Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and disclosure. Please do NOT report security vulnerability via GitHub issues.
+
+
 ##### Untrusted schemas
 
 Ajv treats JSON schemas as trusted as your application code. This security model is based on the most common use case, when the schemas are static and bundled together with the application.