diff --git a/README.md b/README.md
index b4a40bfcd863..e2d55aeda7e5 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,7 @@ Ozone is a top level project under the [Apache Software Foundation](https://apac
  * Chat: You can find the #ozone channel on the official ASF slack. Invite link is [here](http://s.apache.org/slack-invite).
  * There are Open [Weekly calls](https://cwiki.apache.org/confluence/display/HADOOP/Ozone+Community+Calls) where you can ask anything about Ozone.
      * Past meeting notes are also available from the wiki.
+ * Reporting security issues: Please consult with [SECURITY.md](./SECURITY.md) about reporting security vulerabilities and issues.
 
 ## Download
 
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000000..8d8a42b48d36
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,23 @@
+# Security Policy
+
+## Supported Versions
+
+The first stable release of Apache Ozone is 1.0, the previous alpha and beta releases are not supported by the community.
+
+| Version       | Supported          |
+| ------------- | ------------------ |
+| 0.3.0 (alpha) | :x:                |
+| 0.4.0 (alpha) | :x:                |
+| 0.4.1 (alpha) | :x:                |
+| 0.5.0 (beta)  | :x:                |
+| 1.0           | :white_check_mark: |
+
+## Reporting a Vulnerability
+
+To report any found security issues or vulnerabilities, please send a mail to security@ozone.apache.org, so that they may be investigated and fixed before the vulnerabilities is published.
+
+This email address is a private mailing list for discussion of potential security vulnerabilities issues.
+
+This mailing list is **NOT** for end-user questions and discussion on security. Please use the dev@ozone.apache.org list for such issues.
+
+In order to post to the list, it is **NOT** necessary to first subscribe to it.