diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..0624dbe
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,38 @@
+# Security Policy
+
+## Reporting A Vulnerability
+
+Please do not open public GitHub issues for security vulnerabilities.
+
+Preferred path:
+
+- If the repository host exposes private vulnerability reporting or GitHub Security Advisories for this repo, use that path first.
+
+Fallback path:
+
+- If no private reporting channel is available, open a minimal public issue requesting a private contact channel and do not include exploit details, tokens, or proof-of-concept payloads in that issue.
+
+When reporting a vulnerability, include:
+
+- A clear description of the issue.
+- Impact and affected areas.
+- Reproduction steps or a proof of concept.
+- Any suggested mitigation if you have one.
+
+We aim to acknowledge reports promptly, investigate them, and coordinate a fix and disclosure timeline with the reporter.
+
+## Current Security Limitations
+
+- Studio gateway settings are stored on disk in plaintext under the local OpenClaw state directory.
+- The current UI loads the configured upstream gateway URL/token into browser memory at runtime, even though those values are not stored in browser persistent storage.
+- The Studio access gate still supports a legacy query-parameter bootstrap flow for setting its access cookie when `STUDIO_ACCESS_TOKEN` is enabled.
+
+## Scope
+
+Please report issues related to:
+
+- Authentication or access-control bypasses.
+- Secret handling or token exposure.
+- Remote code execution or privilege escalation paths.
+- Unsafe filesystem, proxy, or network behavior.
+- Dependency vulnerabilities that materially affect this project.