diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000000..e6b03a44fe6f
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,26 @@
+# Security Policy
+
+## Supported Versions
+
+Currently supported stable Cobalt versions are.
+
+| Version | Release status   | Supported          |
+| ------- | -----------------|------------------- |
+| 25.lts  | upcoming release | :white_check_mark: |
+| 24.lts  | last stable      | :white_check_mark: |
+| 23.lts  | maintenance      | :white_check_mark: |
+| 22.lts  | EOL              | :no_entry:         |
+| < 21.lts| no support       | :x:                |
+
+
+## Model
+
+Although Cobalt is built to process web content similar to browsers,
+it is not a web browser. Our security model assumes _only trusted content
+processing_.
+
+## Reporting a Vulnerability
+
+Please use [https://developers.google.com/youtube/cobalt](https://developers.google.com/youtube/cobalt/docs/communication) as an overall guide where to report issues.
+
+Critical security vulnerabilities should be reported via yt-cobalt-security@google.com.