diff --git a/README.md b/README.md
index 8bac3eba..08a86d9a 100644
--- a/README.md
+++ b/README.md
@@ -66,6 +66,10 @@ Contributions are welcome. Before contributing, please see
 the [Code of Conduct](doc/code-of-conduct.md) and 
 [the contributing guide](doc/contributing.md).
 
+## Reporting Security Vulnerabilities
+
+Please follow the procedure described in [SECURITY.md](SECURITY.md).
+
 ## License
 
 Pinniped is open source and licensed under Apache License Version 2.0. See [LICENSE](LICENSE) file.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..ad936e3e
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,12 @@
+# Reporting a Vulnerability
+
+Pinniped development is sponsored by VMware, and the Pinniped team encourages users 
+who become aware of a security vulnerability in Pinniped to report any potential 
+vulnerabilities found to security@vmware.com. If possible, please include a description 
+of the effects of the vulnerability, reproduction steps, and a description of in which
+version of Pinniped or its dependencies the vulnerability was discovered. 
+The use of encrypted email is encouraged. The public PGP key can be found at https://kb.vmware.com/kb/1055.
+
+The Pinniped team hopes that users encountering a new vulnerability will contact 
+us privately as it is in the best interests of our users that the Pinniped team has 
+an opportunity to investigate and confirm a suspected vulnerability before it becomes public knowledge.