diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 000000000..46b7e500f
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,3 @@
+If you've found a security or privacy issue on the .gov top-level domain infrastructure, email dotgov@cisa.dhs.gov.
+
+If you see a security or privacy issue on a .gov domain, check [current-full.csv]([url](https://github.com/cisagov/dotgov-data/blob/main/current-full.csv)) or whois (same data) to see if the domain has a security contact. Most [federal (executive branch) agencies]([url](https://github.com/cisagov/vdp-in-fceb/)) also have a vulnerability disclosure policy. If you are unable to find a contact or receive no response from the security contact, you may email dotgov@cisa.dhs.gov.