--- /dev/null
+# Security Policy
+
+## Supported Versions
+
+The currently supported maintenance release is 2.15.
+
+| Version | Supported |
+| ------- | ------------------ |
+| 2.15.x | :white_check_mark: |
+| 2.12.x | limited |
+| 2.10.x | :x: |
+| 2.7.x | :x: |
+
+## Reporting a Vulnerability
+
+If you have details of a suspected security vulnerability in Lustre code that you
+wish to report then please email us at security@whamcloud.com with the details.
+
+Please do not file a public JIRA issue for a security vulnerability - we do not want
+to draw attention to the vulnerability until a fix has been developed and administrators
+have been alerted and have had some time to put a mitigation in place.
+
+Ideally the reporting email should have as much detail as possible:
+
+- reproducer, versions affected, fix if available, etc.
+- indicate to whom (individual and/or affiliation) that credit for finding the issue should be reported
+- details of any CVE already reserved
+- our intentions around disclosing the details of the vulnerability
+
+We aim to respond to any such reports within three business days of receipt.
+