--- /dev/null
+# Security Policy
+
+## Supported Versions
+
+This project is still in its early development stages, so please consider
+any release not explicitly labeled as stable as experimental.
+
+| Version | Supported |
+| ------- | ------------------ |
+| 0.x | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+If you find a security vulnerability, please refrain from creating a
+public issue on Github, but rather contact me directly at <mike@php.net>
+or [another suitable private contact method](https://m6w6.name/#contact).
+
+Any past vulnerabilities should be found in release changelogs after they
+have been fixed.
+
+This is free and open source software provided under the the terms of
+the 2-Clause-BSD-License, see the [LICENSE](./LICENSE) file.
+Thus, honor and goodwill is all being offered for reporting
+-- or even fixing -- any vulnerability.