diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 6f0b44fd..5cec2b40 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -87,6 +87,21 @@ jobs:
       - name: Sync build to staging directory
         run: rsync -crui ${{ github.workspace }}/website/${{ env.SITE_URL }}/ /srv/s3-staging/${{ env.SITE_URL }} --delete
 
+      - name: set branch env
+        run: echo "BRANCH=${{ github.ref_name }}" >> $GITHUB_ENV
+      - name: security.txt
+        # If running on master branch, add signed security.txt file
+        if: env.BRANCH == 'master'
+        run: |
+          cd "$GITHUB_WORKSPACE/website"
+          /srv/github-action-scripts/sign-security.sh
+          if [ -f "security.txt.asc" ]; then
+            mkdir "/srv/s3-staging/${{ env.SITE_URL }}/.well-known"
+            mv security.txt.asc "/srv/s3-staging/${{ env.SITE_URL }}/.well-known/security.txt"
+          else
+            echo "No security.txt.asc produced"
+          fi
+
       - name: Upload to S3
         run: /srv/github-action-scripts/upload-to-s3-root.sh
 
diff --git a/_config.yml b/_config.yml
index f9b3b81d..20fef42b 100644
--- a/_config.yml
+++ b/_config.yml
@@ -44,6 +44,7 @@ exclude:
   - staging.96boards.org
   - production.96boards.org
   - merged_sources
+  - security.txt
 sass:
   style: compressed
   load_paths:
diff --git a/security.txt b/security.txt
new file mode 100644
index 00000000..af6c3d5a
--- /dev/null
+++ b/security.txt
@@ -0,0 +1,2 @@
+Contact: mailto:psirt@linaro.org
+Canonical: https://www.96boards.org/.well-known/security.txt