diff --git a/SECURITY.md b/SECURITY.md
index 034e8480..b67cd54b 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,20 +2,68 @@
 
 ## Supported Versions
 
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
+Open Claude is currently maintained on the latest `main` branch and the latest
+npm release only.
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+| Version | Supported |
+| ------- | --------- |
+| Latest release | :white_check_mark: |
+| Older releases | :x: |
+| Unreleased forks / modified builds | :x: |
+
+Security fixes are generally released in the next patch version and may also be
+landed directly on `main` before a package release is published.
 
 ## Reporting a Vulnerability
 
-Use this section to tell people how to report a vulnerability.
+If you believe you have found a security vulnerability in Open Claude, please
+report it privately.
 
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+Preferred reporting channel:
+
+- GitHub Security Advisories / private vulnerability reporting for this
+  repository
+
+Please include:
+
+- a clear description of the issue
+- affected version, commit, or environment
+- reproduction steps or a proof of concept
+- impact assessment
+- any suggested remediation, if available
+
+Please do **not** open a public issue for an unpatched vulnerability.
+
+## Response Process
+
+Our general goals are:
+
+- initial triage acknowledgment within 7 days
+- follow-up after validation when we can reproduce the issue
+- coordinated disclosure after a fix is available
+
+Severity, exploitability, and maintenance bandwidth may affect timelines.
+
+## Disclosure and CVEs
+
+Valid reports may be fixed privately first and disclosed after a patch is
+available.
+
+If a report is accepted and the issue is significant enough to warrant formal
+tracking, we may publish a GitHub Security Advisory and request or assign a CVE
+through the appropriate channel. CVE issuance is not guaranteed for every
+report.
+
+## Scope
+
+This policy applies to:
+
+- the Open Claude source code in this repository
+- official release artifacts published from this repository
+- the `@gitlawb/openclaude` npm package
+
+This policy does not cover:
+
+- third-party model providers, endpoints, or hosted services
+- local misconfiguration on the reporter's machine
+- vulnerabilities in unofficial forks, mirrors, or downstream repackages