--- /dev/null
+# Arvados Project Security Policy
+
+## Supported Versions
+
+The Arvados project will issue security fixes by making point releases
+on the current stable release series (X.Y.0, X.Y.1, X.Y.2, etc).
+
+The most recent stable release version, along with release notes and
+upgrade notes documenting security fixes, can be found at these
+locations:
+
+https://arvados.org/releases/
+
+https://doc.arvados.org/admin/upgrading.html
+
+The Arvados project does not support versions older than the current
+stable release except by special arrangement (contact info@curii.com).
+
+Release announcements, including notification of security fixes, are
+sent to the Arvados announcement list:
+
+https://lists.arvados.org//mailman/listinfo/arvados
+
+## Reporting Security Issues
+
+If you believe you have found a security vulnerability in any Arvados-owned repository, please report it to us through coordinated disclosure.
+
+**Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
+
+Instead, please send an email to dev@curii.com.
+
+Please include as much of the information listed below as you can to help us better understand and resolve the issue:
+
+ * The type of issue (e.g., remote code execution, SQL injection, or cross-site scripting)
+ * Full paths of source file(s) related to the manifestation of the issue
+ * The location of the affected source code (tag/branch/commit or direct URL)
+ * Any special configuration required to reproduce the issue
+ * Step-by-step instructions to reproduce the issue
+ * Proof-of-concept or exploit code (if possible)
+ * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.