diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
new file mode 100644
index 0000000..628e079
--- /dev/null
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -0,0 +1,11 @@
+## Description
+
+### Proposed Changes
+
+-
+-
+
+### Checklist before submitting
+
+- [ ] I followed the guidelines in our [Contributing document](https://github.com/lburcusel/glowing-fiesta/blob/production/CONTRIBUTING.md)
+- [ ] My submission pass all tests
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..3f7b99d
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,49 @@
+# Security Policy
+
+Glowing Fiesta is unreleased software still in early development, and so bugs and vulnerabilities in its code can be safely
+disclosed publicly. The preference is to report security issues as
+[GitHub issues](https://github.com/lburcusel/glowing-fiesta/issues/new?template=bug_report.md).
+
+However, private vulnerability reporting is also enabled on the repository. If you find a security issue in Glowing Fiesta,
+or in another package that you believe affects Glowing Fiesta, you may report it privately to the maintainers
+using the [process outlined in GitHub documentation](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/creating-a-repository-security-advisory).
+
+Issues reported and accepted through the private reporting process will be disclosed publicly once they are resolved,
+and given a security advisory identifier. The maintainers may include regular contributors in the disposition and resolution
+process as their expertise requires. Researchers who report security issues privately will be credited in the advisory.
+
+The maintainers reserve the right to reject reports that are not security issues, or that are not in the scope of Glowing Fiesta.
+For issues that are determined to not be security issues, please report them as a
+[GitHub issue](https://github.com/lburcusel/glowing-fiesta/issues/new?template=bug_report.md) instead. If you choose not to
+re-report the issue as a generic issue, the maintainers may do so themselves.
+
+Glowing Fiesta does not offer bug bounties for security issues at this time.
+
+## Scope of Security Issues
+
+Many security features of the web platform are not yet implemented in Glowing Fiesta. Security reports regarding
+incomplete features may be redirected to regular issues. The following are examples of issues that are not in scope
+at this time:
+
+- Cross-site request forgery
+- Cross-site scripting
+- Content Security Policy violations
+- Cross-origin iframe sandboxing
+
+The maintainers reserve the right to modify this list as the project matures and as security issues are reported.
+
+Significant portions of the browser depend on third party libraries. Examples include image decoding, video decoding,
+internationalization, and 2D graphics. Security issues in these libraries should be reported to the maintainers of the
+respective libraries. The maintainers of Glowing Fiesta will work with the maintainers of these libraries to resolve the issue.
+If a security issue relates more to the integration of the library into Glowing Fiesta, it should be reported via the same
+methods as other security issues.
+
+## Responsible Disclosure
+
+The maintainers of Glowing Fiesta will work with security researchers to resolve security issues in a timely manner. A default
+120-day disclosure timeline is in place for all security issues, but this may be extended if the maintainers and the reporter
+agree that more time is needed to resolve the issue. The maintainers will keep the reporter informed of progress and
+resolution steps throughout the process.
+
+In the case that a security issue is also reported to other package vendors or OSS projects, the maintainers will work
+with the longest disclosure timeline to ensure that all parties have sufficient time to resolve the issue.