diff --git a/.github/ISSUE_TEMPLATE/custom.md b/.github/ISSUE_TEMPLATE/custom.md
new file mode 100644
index 0000000..97460ae
--- /dev/null
+++ b/.github/ISSUE_TEMPLATE/custom.md
@@ -0,0 +1,9 @@
+---
+name: File an issue
+about: For all non-security issues
+title: ''
+labels: ''
+assignees: ''
+
+---
+
diff --git a/README.md b/README.md
index afbc60e..92eaef2 100644
--- a/README.md
+++ b/README.md
@@ -80,3 +80,7 @@
 
 The software is provided under the MIT license.
 Note that additional licences apply if you use the minicrypto binding (see above).
+
+Reporting Security Issues
+---
+Please report vulnerabilities to h2o-vuln@googlegroups.com. See [SECURITY.md](SECURITY.md) for more information.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..9530c81
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,7 @@
+## Report a security issue
+
+The h2o/picotls project team welcomes security reports and is committed to providing prompt attention to security issues. Security issues should be reported privately via h2o-vuln@googlegroups.com.
+
+## Security advisories
+
+Remediation of security vulnerabilities is prioritized by the project team. The project team endeavors to coordinate remediation with third-party stakeholders, and is committed to transparency in the disclosure process. The picotls/h2o team announces security issues via [h2o project Github Release notes](https://github.com/h2o/h2o/releases) as well as [the h2o website](h2o.examp1e.net) on a best-effort basis.