diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..0f8261f2
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,34 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in libinput, please report it as a
+**confidential issue** on GitLab:
+
+https://gitlab.freedesktop.org/libinput/libinput/-/issues/new?issue[confidential]=true
+
+Do **not** report security vulnerabilities through public issues, mailing
+lists, or other public channels.
+
+A confidential issue is only visible to the project maintainers and the
+reporter. Once the issue has been resolved and a fix has been released, the
+issue will be made public.
+
+### What to Include in Your Report
+
+To help us triage and fix the issue quickly, please provide:
+* A clear description of the vulnerability and its potential impact.
+* Step-by-step instructions (or a Proof of Concept script) to reproduce the issue.
+* The other information that the pre-filled issue template will request.
+
+## Our Process
+
+We will acknowledge receipt of your report as soon as possible. Note that due
+to the small team working on libinput acknowledgement may take several days,
+especially on weekends and public holidays.
+
+Our core team will investigate the issue in the confidential thread. We will
+coordinate a security release and, where applicable, request a CVE. Credit
+will be given to the reporter upon public disclosure unless requested
+otherwise. If you require a specific text (e.g. "John Smith on behalf of
+Corporation") please provide this information in the issue.