Add security reporting file

README.md

@@ -1,2 +1,5 @@
 # .github
-Default community health files for @2factorauth.
+Default community health files for [@2factorauth](https://github.com/2factorauth/).
+
+> **Note**  
+> Please confirm with CM before pusing.

SECURITY.md

@@ -0,0 +1,32 @@
+# Security Reporting
+
+Have you found a security vulnerability or bug affecting 2FA Directory?
+Get in touch with us!
+
+## Vulnerability scope
+
+[2factorauth][about] hosts the 2FA Directory [website][website]
+and [API service][api].  
+We also manage the GitHub repositories on [github.com/2factorauth][github]. Vulnerabilities
+directly related to the code in these repositories can be reported to us.  
+If you've found an issue with one of our dependencies, please report your findings directly to the dependency in
+question.
+
+Before reporting, please note that 2FA Directory is a static website and API service public to everyone.
+Therefore, potential DOM and cookie exfiltration aren't something that's within our scope.
+
+## Reporting vulnerabilities
+
+Please report your findings through our [Security advisory platform][advisory].  
+If you're unable to use GitHub, send us an email instead at <a href="mailto:[email protected]">[email protected]</a>.
+PGP is available using the key [66906F90EA58EC3FA5DC5B3A61339316DD315F4D][pgp].
+
+> **Warning**  
+> Reports from automated security scans will be discarded.
+
+[about]: https://2fa.directory/about/
+[advisory]: https://github.com/2factorauth/twofactorauth/security/advisories/new
+[api]: https://2fa.directory/api/
+[github]: https://github.com/2factorauth
+[pgp]: https://keys.openpgp.org/vks/v1/by-fingerprint/66906F90EA58EC3FA5DC5B3A61339316DD315F4D
+[website]: https://2fa.directory/