diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..93e711c
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,42 @@
+# Security Notice
+
+## What?
+
+This is the security notice for all GDS (Government Digital Service) repositories. The notice explains how vulnerabilities should be reported to GDS. At GDS there are cyber security and information assurance teams, as well as security-conscious people within the programmes, that assess and triage all reported vulnerabilities.
+
+## Reporting a Vulnerability
+
+GDS is an advocate of responsible vulnerability disclosure. If you’ve found a vulnerability, we would like to know so we can fix it.
+
+Send details to [disclosure@digital.cabinet-office.gov.uk], including:
+- the website, page or repository where the vulnerability can be observed
+- a brief description of the vulnerability 
+- optionally the type of vulnerability and any related [OWASP category]
+- non-destructive exploitation details
+
+GDS use ZenDesk as a ticketing system, so you may get a reply or response from that platform.
+
+## Scope
+The following are **not** in scope:
+- volumetric vulnerabilities, for example overwhelming a service with a high volume of requests 
+- reports indicating that our services do not fully align with “best practice”, for example missing security headers
+
+If you are not sure, you can still reach out via email; [disclosure@digital.cabinet-office.gov.uk].
+
+## Bug bounty
+Unfortunately, GDS doesn't offer a paid bug bounty programme. GDS will make efforts to show appreciation to people who take the time and effort to disclose vulnerabilities responsibly.
+
+# Code of Conduct
+
+GDS have a contributors code of conduct, which you can find here: [CODE_OF_CONDUCT.md]
+
+---
+
+#### Further reading and inspiration about responsible disclosure and `SECURITY.md`
+- <https://mojdigital.blog.gov.uk/vulnerability-disclosure-policy/>
+- <https://www.ncsc.gov.uk/information/vulnerability-reporting>
+- <https://github.com/Trewaters/security-README>
+
+[disclosure@digital.cabinet-office.gov.uk]: mailto:disclosure@digital.cabinet-office.gov.uk
+[CODE_OF_CONDUCT.md]: https://github.com/alphagov/.github/blob/master/CODE_OF_CONDUCT.md
+[OWASP category]: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_2017_Project