diff --git a/POLICY.md b/POLICY.md
index fb673155d..3d84cbb82 100644
--- a/POLICY.md
+++ b/POLICY.md
@@ -42,12 +42,4 @@ Considered to be part of the API policy.
 
 # Security
 
-To report a vulnerability, please contact [dustin@cs.uchicago.edu](dustin@cs.uchicago.edu), you may use GPG public-key `D8097934A92E4B4210368102FF8B7AC6154E3226` which is available [here](https://keybase.io/djmitche/pgp_keys.asc?fingerprint=d8097934a92e4b4210368102ff8b7ac6154e3226). Initial response is expected within ~48h.
-
-We kinldy ask to follow the responsible disclosure model and refrain from sharing information until:
-1. Vulnerabilities are patched in TaskChampion + 60 days to coordinate with distributions.
-2. 90 days since the vulnerability is disclosed to us.
-
-We recognise the legitimacy of public interest and accept that security researchers can publish information after 90-days deadline unilaterally.
-
-We will assist with obtaining CVE and acknowledge the vulnerabilites reported.
+See [SECURITY.md](./SECURITY.md).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..9d8d975d9
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,11 @@
+# Security
+
+To report a vulnerability, please contact [dustin@cs.uchicago.edu](dustin@cs.uchicago.edu), you may use GPG public-key `D8097934A92E4B4210368102FF8B7AC6154E3226` which is available [here](https://keybase.io/djmitche/pgp_keys.asc?fingerprint=d8097934a92e4b4210368102ff8b7ac6154e3226). Initial response is expected within ~48h.
+
+We kindly ask to follow the responsible disclosure model and refrain from sharing information until:
+1. Vulnerabilities are patched in TaskChampion + 60 days to coordinate with distributions.
+2. 90 days since the vulnerability is disclosed to us. 
+
+We recognise the legitimacy of public interest and accept that security researchers can publish information after 90-days deadline unilaterally.
+
+We will assist with obtaining CVE and acknowledge the vulnerabilites reported.