diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..6e343ee36
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,25 @@
+# Security Policy
+
+## Supported Versions
+
+Expr is generally backwards compatible with very few exceptions, so we
+recommend users to always use the latest version to experience stability,
+performance and security.
+
+We generally backport security issues to a single previous minor version,
+unless this is not possible or feasible with a reasonable effort.
+
+| Version | Supported          |
+|---------|--------------------|
+| 1.15    | :white_check_mark: |
+| 1.14    | :white_check_mark: |
+| 1.13    | :white_check_mark: |
+| 1.12    | :white_check_mark: |
+| < 1.12  | :x:                |
+
+## Reporting a Vulnerability
+
+If you believe you've discovered a serious vulnerability, please contact the
+Expr core team at anton+security@medv.io. We will evaluate your report and if
+necessary issue a fix and an advisory. If the issue was previously undisclosed,
+we'll also mention your name in the credits.