diff --git a/.github/SECURITY.md b/.github/SECURITY.md
new file mode 100644
index 0000000..90408e4
--- /dev/null
+++ b/.github/SECURITY.md
@@ -0,0 +1,12 @@
+# Security Policy
+
+## Supported Versions
+
+At the moment, only the latest major.minor release stream is supported with
+security updates.
+
+## Reporting a Vulnerability
+
+Please use the Tidelift security contact to [report a security
+vulnerability](https://tidelift.com/security).  Tidelift will coordinate the fix
+and disclosure.
diff --git a/README.md b/README.md
index 6201bfa..1727453 100644
--- a/README.md
+++ b/README.md
@@ -891,12 +891,6 @@ both in the same application. If both are present, Ransack will default to
 Active Record only. The logic is contained in
 `Ransack::Adapters#instantiate_object_mapper` should you need to override it.
 
-## Security contact information
-
-Please use the Tidelift security contact to [report a security
-vulnerability](https://tidelift.com/security).  Tidelift will coordinate the fix
-and disclosure.
-
 ## Semantic Versioning
 
 Ransack attempts to follow semantic versioning in the format of `x.y.z`, where: