diff --git a/README.md b/README.md
index df56d64d7..03324c4f3 100644
--- a/README.md
+++ b/README.md
@@ -164,6 +164,10 @@ Verdaccio aims to support all features of a standard npm client that make sense
 
 - npm audit - **supported**
 
+## Report a vulnerability
+
+If you want to report a security vulnerability, please follow the steps which we have defined for you in our [security policy](https://github.com/verdaccio/verdaccio/security/policy).
+
 ## Core Team
 
 The core team is the responsable for drive this project, team is ordered by antiquity and areas of responsability.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..9607505a0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,30 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 2.x   | :x:                |
+| 3.x   | :white_check_mark: |
+| 4.x   | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+At Verdaccio, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present. If you've discovered a vulnerability, please follow the guidelines below to report it to our team:
+
+* Report it either [Snyk Security Team](https://snyk.io/vulnerability-disclosure/) or [npmjs Security Team](https://www.npmjs.com/advisories/report?package=verdaccio), they will be in contact with us in case of confirming the vulnerability.
+* E-mail your findings to [verdaccio@pm.me](mailto:verdaccio@pm.me). If the report contains highly sensitive information, please consider encrypting your findings using our [PGP key](https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc).
+
+Please follow these rules when testing/reporting vulnerabilities:
+* Do not take advantage of the vulnerability you have discovered, for example by downloading more data than is necessary to demonstrate the vulnerability.
+* Do not read, modify or delete data that isn't your own.
+* We ask that you do not disclose the findings to third parties until it has been resolved.
+
+What we promise:
+* We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
+* We will keep you informed during all stages of resolving the problem.
+* To show our appreciation for your effort and cooperation during the report, we will list your name and a link to a personal website/social network profile on the page below so that the public can know you've helped keep Verdaccio secure.
+
diff --git a/security.txt b/security.txt
new file mode 100644
index 000000000..b243ac559
--- /dev/null
+++ b/security.txt
@@ -0,0 +1,5 @@
+Contact: verdaccio@pm.me
+Encryption: https://verdaccio.nyc3.digitaloceanspaces.com/gpg/publickey.verdaccio@pm.me.asc
+Acknowledgments: https://verdaccio.org/thanks.html
+Preferred-Languages: en
+Policy: https://github.com/verdaccio/verdaccio/security/policy