diff --git a/README.md b/README.md
index c7ef34decb8f94..a7bd369856636e 100644
--- a/README.md
+++ b/README.md
@@ -42,6 +42,15 @@ Build and test software of any size, quickly and reliably.
   * [Roadmap](https://bazel.build/roadmap.html)
   * [Who is using Bazel?](https://github.com/bazelbuild/bazel/wiki/Bazel-Users)
 
+## Reporting a Vulnerability
+
+To report a security issue, please email security@bazel.build with a description
+of the issue, the steps you took to create the issue, affected versions, and, if
+known, mitigations for the issue. Our vulnerability management team will respond
+within 3 working days of your email. If the issue is confirmed as a
+vulnerability, we will open a Security Advisory. This project follows a 90 day
+disclosure timeline.
+
 ## Contributing to Bazel
 
 See [CONTRIBUTING.md](CONTRIBUTING.md)
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000000000..fbc691eb654b44
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,10 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+To report a security issue, please email security@bazel.build with a description
+of the issue, the steps you took to create the issue, affected versions, and, if
+known, mitigations for the issue. Our vulnerability management team will respond
+within 3 working days of your email. If the issue is confirmed as a
+vulnerability, we will open a Security Advisory. This project follows a 90 day
+disclosure timeline.