diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index 7f54e36f..34a3a0f3 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -1 +1,4 @@
 *  @rapidsai/deployment-write
+
+# Ops code owners
+/SECURITY.md             @rapidsai/ops-codeowners
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..86fb2e58
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,40 @@
+# Security
+
+## Reporting Security Issues
+
+> [!WARNING]
+> Do not report security vulnerabilities through public GitHub issues!
+
+Instead, please submit a private vulnerability report, see below.
+
+## Reporting a Vulnerability
+
+1. **NVIDIA Vulnerability Disclosure Program (preferred)**
+   Submit through the NVIDIA Product Security Incident Response Team (PSIRT) web form (<https://www.nvidia.com/en-us/security/report-vulnerability/>)
+   This is the fastest path to triage and tracking.
+
+2. **Email NVIDIA PSIRT**
+   `psirt@nvidia.com` — encrypt sensitive reports with the
+   [NVIDIA PSIRT PGP key](https://www.nvidia.com/en-us/security/pgp-key).
+
+3. **GitHub Private Vulnerability Reporting**
+   Use the **Security and quality** tab on this repository → _Report a vulnerability_.
+
+## Report Details
+
+We prefer all communications to be in English.
+
+Reports should include the following:
+
+- reproducible example showing how the vulnerability can be exploited
+- statement about the impact (including affected versions)
+
+And we'd appreciate if they also include:
+
+- statement about whether you are interested in implementing the fix yourself
+
+## Disclosure Policy
+
+NVIDIA PSIRT will acknowledge receipt and coordinate triage, fix development, and coordinated disclosure.
+
+More on NVIDIA's response process: <https://www.nvidia.com/en-us/security/psirt-policies/>.