diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..9bc868d
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,36 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security issue, please report it **privately**.
+
+Email: rrosado6@gatech.edu
+Subject: SECURITY: <short description>
+
+Include:
+- Description of the issue and impact
+- Steps to reproduce (POC if available)
+- Affected components
+- Screenshots or logs (if helpful)
+
+Do not open public issues for security vulnerabilities.
+
+## Response Timeline
+
+- Acknowledgement within 2 business days  
+- Triage and severity assessment within 5 business days  
+- Fix or mitigation as soon as practical based on severity  
+
+## Responsible Disclosure
+
+We support responsible security research conducted in good faith.  
+Please avoid service disruption, data exfiltration beyond proof-of-concept, or privacy violations.
+
+Public disclosure should occur only after a fix or mitigation is available.
+
+## Security Expectations
+
+- Enforce server-side authorization (RBAC)
+- Protect sensitive data in transit (TLS)
+- Log and audit critical actions
+- Review code before merging