diff --git a/README.md b/README.md
index da872eb8..f52c2bd6 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,14 @@ For details on development prereqs and running tests see [here](https://github.c
 
 This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
 
+## Reporting a Vulnerability
+
+Security issues and bugs should be reported privately, via email, to the Microsoft Security Response Center (MSRC) through https://msrc.microsoft.com or by emailing secure@microsoft.com. 
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your 
+original message. Further information, including the MSRC PGP key, can be found in the [MSRC Report an Issue FAQ](https://www.microsoft.com/en-us/msrc/faqs-report-an-issue).
+
+Please do not open issues for anything you think might have a security implication.
+
 ## License
 
 This project is under the benevolent umbrella of the [.NET Foundation](http://www.dotnetfoundation.org/) and is licensed under [the MIT License](https://github.com/Azure/azure-webjobs-sdk/blob/master/LICENSE.txt)
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..149e8427
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,9 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Security issues and bugs should be reported privately, via email, to the Microsoft Security Response Center (MSRC) through https://msrc.microsoft.com or by emailing secure@microsoft.com. 
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your 
+original message. Further information, including the MSRC PGP key, can be found in the [MSRC Report an Issue FAQ](https://www.microsoft.com/en-us/msrc/faqs-report-an-issue).
+
+Please do not open issues for anything you think might have a security implication.