add SECURITY.md for security disclosures
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..917abf3
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,15 @@
+# Security Policy
+
+Last Updated: 2020-03-21
+
+## Reporting a Vulnerability
+
+In unlikely event of finding a security vulnerability directly relating to `jackson-annotations`
+package -- unlikely, as there is very little code in this package --
+the recommended mechanism for reporting possible security vulnerabilities follows
+so-called "Coordinated Disclosure Plan" (see [definition of DCP](https://vuls.cert.org/confluence/display/Wiki/Coordinated+Vulnerability+Disclosure+Guidance)
+for general idea). The first step is to file a [Tidelift security contact](https://tidelift.com/security):
+Tidelift will route all reports via their system to maintainers of relevant package(s), and start the
+process that will evaluate concern and issue possible fixes, send update notices and so on.
+Note that you do not need to be a Tidelift subscriber to file a security contact.
+