diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 250398f8a..2c4fd99d5 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -16,9 +16,6 @@ Issues
   keeping the issues properly organized and searchable (by OS, issue type, etc.).
 * When reporting a malfunction, consider enabling
   [debug mode](https://psutil.readthedocs.io/en/latest/#debug-mode) first.
-* To report a **security vulnerability**, use the
-  [Tidelift security contact](https://tidelift.com/security).
-  Tidelift will coordinate the fix and the disclosure of the reported problem.
 
 Pull Requests
 -------------
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..3ace82d94
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+# Security Policy
+
+If you have discovered a security vulnerability in this project, please report it
+privately. **Do not disclose it as a public issue.** This gives me time to work with you
+to fix the issue before public exposure, reducing the chance that the exploit will be
+used before a patch is released.
+
+To report a security vulnerability, use the [Tidelift security contact](https://tidelift.com/security).
+Tidelift will coordinate the fix and the disclosure of the reported problem.
+
+Please provide the following information in your report:
+
+- A description of the vulnerability and its impact
+- How to reproduce the issue
+
+This project is maintained by a single maintainer on a reasonable-effort basis. As such,
+I ask that you give me 90 days to work on a fix before public exposure.