diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..8ac5bd969d
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,7 @@
+# Reporting Security Issues
+
+If you believe you have found a security vulnerability in bud.js, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem.
+
+While we take security very seriously it is important to remember that nearly all bud.js dependencies are run in local developer environments only, and even more bud.js dependencies are only used within the context of this repository. In the context of a build tool, many "vulenrabilities" are safe to ignore. Runtime vulnerabilities will always be taken very seriously and handled with urgency.
+
+Check out [npm audit: Broken by Design by Dan Abramov](https://overreacted.io/npm-audit-broken-by-design/) if you're interested in our thinking around the severity of non runtime security issues.