diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 9c3e2c353..9dee68787 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -19,6 +19,8 @@ A good bug report will include:
 - What you think *should* have happened.
 - Anything you can find in your [browser's console window][jserrors].
 
+If you believe you have found a security issue, follow the guidelines in [SECURITY.md](./SECURITY.md).
+
 ## Contributing a pull request
 ### Getting started
 
diff --git a/README.md b/README.md
index 331a02793..53bc70daf 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ See [Wikipedia:Twinkle][] on the English Wikipedia for more information.
 
 ## How to file a bug report or feature request
 
-If you're unsure whether you are experiencing a Twinkle-based bug, you should first try asking at [Wikipedia talk:Twinkle][], where other editors may assist you.  Bugs may be filed either here or at [Wikipedia talk:Twinkle][].  For simple feature requests or changes (e.g., a template was deleted or renamed) feel free to open an issue or pull request here, but for more significant changes, consider discussing the idea on [Wikipedia talk:Twinkle][] and any relevant pages first to ensure there is consensus for the change and to get broader community input.
+If you're unsure whether you are experiencing a Twinkle-based bug, you should first try asking at [Wikipedia talk:Twinkle][], where other editors may assist you.  Bugs may be filed either here or at [Wikipedia talk:Twinkle][].  For simple feature requests or changes (e.g., a template was deleted or renamed) feel free to open an issue or pull request here, but for more significant changes, consider discussing the idea on [Wikipedia talk:Twinkle][] and any relevant pages first to ensure there is consensus for the change and to get broader community input.  If you believe you have found a security issue, follow the guidelines in [SECURITY.md](./SECURITY.md).
 
 If you'd like to start contributing, awesome!  Check out [CONTRIBUTING.md](CONTRIBUTING.md) to get started!
 
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..b7f0afbf7
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,12 @@
+# Reporting a security issue
+
+Although rare, we take security bugs in Twinkle seriously.
+
+If you believe you have found a security issue, please **privately** contact one or both of the currently-active maintainers:
+
+* @Amorymeltzer: [Email](https://en.wikipedia.org/wiki/Special:EmailUser/Amorymeltzer)
+* @MusikAnimal: [Email](https://en.wikipedia.org/wiki/Special:EmailUser/MusikAnimal)
+
+Please include "Twinkle Security" in the subject line and include as much information in the body as you are capable of providing.  We will respond as quickly as we are able with further steps.
+
+If one of use doesn't respond in a timely fashion, you can try to [contact another interface-admin](https://en.wikipedia.org/wiki/Special:ActiveUsers?groups=interface-admin&excludegroups=bot) with the same information.