diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..11319cb8
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,41 @@
+<!--
+SPDX-FileCopyrightText: the secureCodeBox authors
+
+SPDX-License-Identifier: Apache-2.0
+-->
+
+# Security Policy
+
+## Supported Versions
+Our _release cycle_ for new features (minior [semver](https://semver.org/) update)
+is roughly every two weeks (we will usually make a new release after each review). 
+
+| Version | Security Fixes* | Supported** |
+| ------- | ------------------ | ------------------ |
+| 4.x.x | :white_check_mark: | :white_check_mark: |
+| 3.15.x | :white_check_mark: | :white_check_mark: |
+| <= 2.9.x | :x: | :x: |
+| < 2.0 | :x: | :x: |
+
+### Major Release (Semver)
+_Upcoming major updates_ will come with a time window in which both _major versions_ (starting with v2.x.x)
+will receive security updates and bugfixes. The concrete support intervall will be probably a couple of months
+and will be published when the next major version will be released.
+
+### Minor Release/Feature Releases (Semver)
+We currently plan to provide support for the _latest minor [semver](https://semver.org/)_ release only.
+
+### Patch Release/Bugfix/Security Fix
+We try to make bugfixes and high severity fixes available as patch release for the current minor release
+as early as possible.
+
+## Extended (Enterprise) Support
+If you are interested in extended support for older versions with security updates of our project 
+please get in touch with the project team via Slack or email <secureCodeBox@iteratec.com>.
+
+## Reporting a Vulnerability
+You have found a vulnerability in the project that shouldn't be disclosed as public issue before it's fixed?
+Please get in touch with the project team via Slack or email <secureCodeBox@iteratec.com>. 
+
+You can expect a fast reaction within the next days. 
+We will keep you updated about the next steps and inform you if the vulnerability is accepted and when its fixed or if its ordeclined somehow.