diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..8cae2b6
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,13 @@
+## Guidelines
+
+We're committed to working with security researchers to resolve the vulnerabilities they discover. You can help us by following these guidelines:
+
+*   Follow [HackerOne's disclosure guidelines](https://www.hackerone.com/disclosure-guidelines).
+*   Pen-testing Production:
+    *   Please **setup a local environment** instead whenever possible. Most of our code is open source (see above).
+    *   If that's not possible, **limit any data access/modification** to the bare minimum necessary to reproduce a PoC.
+    *   **_Don't_ automate form submissions!** That's very annoying for us, because it adds extra work for the volunteers who manage those systems, and reduces the signal/noise ratio in our communication channels.
+    *   To be eligible for a bounty, please follow all of these guidelines.
+*   Be Patient - Give us a reasonable time to correct the issue before you disclose the vulnerability.
+
+We also expect you to comply with all applicable laws.