diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..0060b57
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,27 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "ci"
+    commit-message:
+      prefix: "ci"
+      include: "scope"
+
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "go"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f46e885..d3a1773 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,8 +10,8 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v5
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+      - uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff  # v5
         with:
           go-version: '1.26'
       - name: Vet
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..0d194b8
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,47 @@
+# Security Policy
+
+## Reporting a vulnerability
+
+If you discover a security vulnerability in `asobi-cli`, please report it
+**privately** so we can fix it before it is publicly disclosed.
+
+**Do not open a public GitHub issue for security issues.**
+
+### How to report
+
+Either of these channels work:
+
+- **GitHub Security Advisory (preferred):**
+  [Report privately](https://github.com/widgrensit/asobi-cli/security/advisories/new)
+- **Email:** security@asobi.dev
+
+### What to expect
+
+- Acknowledgement within **48 hours**
+- Initial assessment within **7 days**
+- Coordinated disclosure timeline agreed with you
+- Credit in the security advisory if you want it
+
+## Supported versions
+
+| Version | Supported |
+|---------|-----------|
+| latest stable | ✅ |
+| older releases | ❌ — please upgrade |
+
+## Scope
+
+**In scope:**
+- The `asobi-cli` Go binary (this repository)
+- Stored credential format and the device-code login flow
+
+**Out of scope:**
+- The hosted asobi.dev SaaS — see https://asobi.dev/security
+- Third-party Go dependencies — please report upstream
+
+## Credential storage
+
+`asobi-cli` stores credentials at `~/.asobi/credentials.json` with mode
+`0600`, in a directory with mode `0700`. The CLI does not transmit
+credentials over unencrypted channels and uses ECDH+AES-GCM for the
+initial device-code login exchange.