diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..0d0af44
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,117 @@
+# Security Policy
+
+## 🔐 Security Best Practices for PrivacyLayer
+
+This document outlines security best practices for contributors working on PrivacyLayer.
+
+## Reporting a Vulnerability
+
+**⚠️ IMPORTANT: Do not open a public issue for security vulnerabilities.**
+
+If you discover a security vulnerability, please report it privately by:
+
+1. Email: security@privacylayer.dev (when available)
+2. GitHub Security Advisories: [Report a vulnerability](https://github.com/ANAVHEOBA/PrivacyLayer/security/advisories/new)
+3. Direct message to maintainers on Discord/Twitter
+
+We will respond within 48 hours and work with you to understand and fix the issue.
+
+## Security Bounty Program
+
+We offer bounties for responsibly disclosed vulnerabilities:
+
+| Severity | Reward (USDC) |
+|----------|---------------|
+| Critical | $5,000 - $10,000 |
+| High | $1,000 - $5,000 |
+| Medium | $250 - $1,000 |
+| Low | $50 - $250 |
+
+### Critical Vulnerabilities
+
+- Private key leakage
+- ZK proof bypass allowing double-spend
+- Merkle tree manipulation
+- Smart contract reentrancy
+
+### High Vulnerabilities
+
+- Information leakage about transaction links
+- Incorrect nullifier handling
+- Access control bypass
+
+## Secure Development Guidelines
+
+### For Circuit Developers
+
+1. **Never expose secrets in logs**
+   ```noir
+   // ❌ BAD
+   println!("Secret: {}", secret);
+   
+   // ✅ GOOD
+   // Remove all debug prints before committing
+   ```
+
+2. **Validate all inputs**
+   ```noir
+   // Always check input lengths and formats
+   assert(input.len() == 32);
+   ```
+
+3. **Use constant-time operations where possible**
+
+### For Contract Developers
+
+1. **Check for reentrancy**
+   ```soroban
+   // Use checks-effects-interactions pattern
+   // Consider using reentrancy guards
+   ```
+
+2. **Validate all external calls**
+   ```soroban
+   // Always check return values
+   // Handle errors gracefully
+   ```
+
+3. **Use established libraries**
+   - OpenZeppelin contracts (when available for Soroban)
+   - Audited cryptographic libraries
+
+### For All Contributors
+
+1. **Keep dependencies updated**
+2. **Review code before committing**
+3. **Use strong, unique passwords for all accounts**
+4. **Enable 2FA on GitHub and all related accounts**
+5. **Never commit credentials or API keys**
+
+## Security Audit Status
+
+| Component | Audit Status | Date |
+|-----------|-------------|------|
+| Circuits - Commitment | ⏳ Pending | - |
+| Circuits - Withdraw | ⏳ Pending | - |
+| Contracts - Pool | ⏳ Pending | - |
+| SDK | ⏳ Not Started | - |
+
+We plan to undergo a professional security audit before mainnet launch.
+
+## Incident Response
+
+In case of a security incident:
+
+1. **Immediate**: Pause affected components
+2. **Assessment**: Understand scope and impact
+3. **Communication**: Notify affected users
+4. **Resolution**: Deploy fix and verify
+5. **Post-mortem**: Document lessons learned
+
+## Questions?
+
+If you have security-related questions, please use the private channels mentioned above.
+
+---
+
+**Last Updated:** April 2026