diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..48f1afd
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,44 @@
+# Security Policy for vue3-steppy
+
+## Commitment
+
+The `vue3-steppy` is committed to ensuring the security of everyone using it. The security of the project is of very importance and any contributions that improve the security of the application are welcome.
+
+## Reporting a Vulnerability
+
+If you believe you have found a security vulnerability in `vue3-steppy`, you are encouraged to create a report as soon as possible. All legitimate reports will be investigated to provide a quick fix. Please follow these guidelines when reporting a vulnerability:
+
+### How to Report a Security Vulnerability?
+
+- **Email**: Please send an email to the [owner](mailto:mkonstan.1998@gmail.com).
+- **GitHub Issue**: It's recommended not to report security vulnerabilities through GitHub issues as they are public. Please use the email address provided.
+
+### What to Include in Your Report?
+
+Please provide as much information as possible about the vulnerability, including:
+- A clear description of the issue.
+- Steps to reproduce the vulnerability (POC scripts, screenshots, and compressed screen captures are all helpful).
+- Any potential impacts of the vulnerability.
+- Any suggestions for fixing the vulnerability.
+
+### What to Expect After You Report?
+
+- An acknowledge receipt of your report within 24 hours.
+- An initial assessment of the report within 3 business days.
+- Possible contact for further information if necessary.
+- Once the vulnerability is confirmed, a fix and release will be scheduled as quickly as feasible.
+- You will be informed about the progress.
+
+## Policy Updates
+
+This security policy may be updated from time to time. The most current version will always be posted on the GitHub repository.
+
+## Out-of-Scope Vulnerabilities
+
+Please note that the following issues are considered out of scope for the security vulnerability reporting:
+- Descriptive error messages (e.g., Stack Traces, application or server errors).
+- HTTP 404 codes/pages or other HTTP non-200 codes/pages.
+- Fingerprinting/banner disclosure on common/public services.
+- Disclosure of known public files or directories, (e.g., robots.txt).
+
+Your efforts are appreciated to responsibly disclose your findings and will make every effort to acknowledge your contributions.