diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..4eae9e9d
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,35 @@
+# Security Policy
+
+## Supported Versions
+
+Security support status for currently maintained versions:
+
+| Version | Support Status        |
+|---------|-----------------------|
+| 2.x     | ✅ Actively Maintained |
+| 1.x     | ❌ End of Life         |
+
+## Vulnerability Reporting
+
+### Submit Vulnerability
+Please submit reports via [GitHub Security Advisory](https://github.com/0xJacky/nginx-ui/security/advisories/new) with:
+- Affected version(s)
+- Detailed vulnerability description
+- Reproducible PoC (Proof of Concept)
+- Environment configuration details
+
+### Handling Process
+- Valid reports will be tracked through private advisory channels
+- Within 21-31 days after remediation:
+  - Request CVE identifier from numbering authorities
+  - Publish technical details on GitHub Advisory
+  - Update Release Notes with impact assessment
+
+### Requirements
+- **Testing Restrictions**: All security validation must be conducted in locally built isolated environments. Online demo systems are strictly prohibited for testing purposes
+- **Environment Isolation**: Testing environments must be network-segregated from production systems. Test traffic must not leak beyond isolated networks
+- Destructive testing is prohibited without explicit authorization
+- Adhere to Coordinated Disclosure principles
+- Vulnerability details must remain confidential until public disclosure
+
+> Security researchers will be acknowledged in project credits based on contribution significance