diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..e142c2a
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,64 @@
+# Security Policy
+
+ATXP gives AI agents wallets, identities, and payment access. Because the SDK
+touches funds and credentials, we take security reports seriously and want a
+clear, private channel for researchers to use.
+
+## Reporting a Vulnerability
+
+**Please do not open public GitHub issues for security reports.**
+
+Email security concerns to:
+
+- `security@atxp.ai` (preferred, if available)
+- `support@atxp.ai` (fallback)
+
+Include:
+
+1. A description of the issue and its impact.
+2. Reproduction steps (proof-of-concept if possible).
+3. The affected version, commit, or endpoint.
+4. Your contact info and whether you want public credit.
+
+If you don't get an acknowledgement within 5 business days, please ping again —
+mail can get lost.
+
+## Scope
+
+In scope:
+
+- This repository (`atxp-dev/atxp`) and the `atxp` npm package.
+- The ATXP backend APIs and wallet handling reachable through the SDK or
+  `atxp.ai` / `accounts.atxp.ai`.
+- Authentication, payment routing, and wallet custody flows.
+
+Out of scope:
+
+- Third-party MCP servers reached through ATXP tools.
+- Issues that require physical access to a user's machine.
+- Reports of missing best-practice headers without a demonstrated impact.
+- Social engineering of ATXP staff.
+
+## Coordinated Disclosure
+
+We ask researchers to give us a reasonable window — typically up to 90 days —
+to investigate and ship a fix before public disclosure. If the issue is being
+actively exploited, we'll move faster and coordinate with you on timing.
+
+## Recognition
+
+With your permission, we'll credit you in release notes or a published advisory
+once a fix has shipped. ATXP does not currently run a paid bug bounty program;
+if that changes, this document will be updated.
+
+## Safe Harbor
+
+We will not pursue legal action against researchers who:
+
+- Make a good-faith effort to follow this policy.
+- Avoid privacy violations, data destruction, or service degradation.
+- Report findings promptly and privately.
+- Do not exploit findings beyond what's necessary to demonstrate the issue.
+
+If you're unsure whether something is in scope or safe to test, ask first via
+the email above.