diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..6e5030fb
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,17 @@
+
+# Security Policy
+
+## WebSocket Security
+The Nexus WebSocket gateway (`server.py`) is restricted to `127.0.0.1` by default to prevent unauthorized remote access to the cognition layer.
+
+### Remote Access
+If remote access is required, you must:
+1. Set `NEXUS_WS_HOST=0.0.0.0`
+2. Provide a secure `NEXUS_WS_AUTH_TOKEN`
+
+## Branch Protection
+We enforce rebase-before-merge to ensure a clean, linear history. Please rebase your branches against `main` before submitting for final review.
+
+## Reporting Vulnerabilities
+Please report any security concerns directly to the Timmy Foundation core team.
+    
\ No newline at end of file