+# Security Policy
+
+## Supported Versions
+
+We are an open source project with no corporate sponsor and no formal
+"support". In practice, we support the latest released version and work with
+OS vendors to make it easy for them to backport fixes for their distributed
+packages. For some security issues, we will issue a patch-release which has
+just a simple fix.
+
+We also often have `exim_VERSION+fixes` branches with small things which we
+recommend that vendors use.
+
+For postmasters installing Exim manually, we recommend always using the latest
+released tarball.
+
+## Reporting a Vulnerability
+
+Our security page is at <https://wiki.exim.org/EximSecurity>.
+It contains the current contact point and list of PGP keys to use for
+encrypting particularly sensitive information.
+This also links to our documentation and the chapter on security
+considerations.
+
+Our security release process is at
+<https://wiki.exim.org/SecurityReleaseProcess>.
+This covers what we do in handling vulnerability reports.
+
+We have no bug bounty program of our own; we're far too disparate a group of
+volunteers for such things.