diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000000..4856365d8f0
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,9 @@
+# Security
+
+## Reporting a vulnerability in Rspack
+
+Report a security vulnerability in Rspack via web-infra-careers@bytedance.com.
+
+Normally, your report will be acknowledged within 24 hours, and you'll receive a more detailed response to your report within 5 days indicating the next steps in handling your submission.
+
+After the initial reply to your report, the security team will endeavor to keep you informed of the progress being made towards a fix and full announcement, and may ask for additional information or guidance surrounding the reported issue.
\ No newline at end of file