diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..0b3bf57
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,110 @@
+# Security Policy
+
+## Supported Versions
+
+This portfolio project follows semantic versioning and maintains security updates for the following versions:
+
+| Version | Supported          | Notes |
+| ------- | ------------------ | ----- |
+| 1.x.x   | :white_check_mark: | Current stable version |
+| 0.x.x   | :x:                | Development versions, no security support |
+
+## Security Features
+
+This portfolio includes the following security measures:
+
+- **Dependency Scanning**: Automated vulnerability scanning with Trivy
+- **Code Quality**: ESLint and TypeScript for secure code practices
+- **Authentication**: Basic Auth protection for admin routes
+- **Environment Security**: Sensitive data stored in environment variables
+- **HTTPS Only**: All production traffic encrypted
+- **Input Validation**: All user inputs are validated and sanitized
+
+## Reporting a Vulnerability
+
+We take security seriously. If you discover a security vulnerability, please follow these steps:
+
+### How to Report
+
+1. **DO NOT** create a public GitHub issue
+2. **DO** send an email to: `security@dki.one`
+3. **Include** the following information:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact
+   - Suggested fix (if any)
+
+### Response Timeline
+
+- **Initial Response**: Within 48 hours
+- **Status Update**: Within 7 days
+- **Resolution**: Within 30 days (depending on severity)
+
+### What to Expect
+
+**If the vulnerability is accepted:**
+- We will acknowledge receipt within 48 hours
+- We will provide regular updates on our progress
+- We will coordinate with you on disclosure timing
+- We will credit you in our security advisories (if desired)
+
+**If the vulnerability is declined:**
+- We will explain why it doesn't qualify as a security issue
+- We may suggest alternative reporting channels
+
+### Scope
+
+**In Scope:**
+- Authentication bypasses
+- Data exposure vulnerabilities
+- Cross-site scripting (XSS)
+- Cross-site request forgery (CSRF)
+- SQL injection
+- Remote code execution
+- Privilege escalation
+
+**Out of Scope:**
+- Denial of service attacks
+- Social engineering
+- Physical attacks
+- Issues in third-party dependencies (report to their maintainers)
+- Issues in development/staging environments
+
+## Security Best Practices
+
+### For Users
+- Keep your browser updated
+- Use strong, unique passwords
+- Enable two-factor authentication where available
+- Report suspicious activity immediately
+
+### For Developers
+- Follow secure coding practices
+- Keep dependencies updated
+- Use environment variables for sensitive data
+- Implement proper input validation
+- Regular security audits
+
+## Security Updates
+
+Security updates are released as soon as possible after a vulnerability is confirmed and fixed. We follow these practices:
+
+- **Critical**: Released within 24 hours
+- **High**: Released within 72 hours  
+- **Medium**: Released within 1 week
+- **Low**: Released with next regular update
+
+## Contact
+
+For security-related questions or concerns:
+- **Email**: `security@dki.one`
+- **Response Time**: Within 48 hours
+
+## Acknowledgments
+
+We appreciate the security research community and will acknowledge responsible disclosure of vulnerabilities.
+
+---
+
+**Last Updated**: September 2024  
+**Next Review**: March 2025