diff --git a/AGENTS.md b/AGENTS.md
index 28944c9d78108..870dff8150ec7 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -155,3 +155,11 @@ DO NOT push to the upstream repo. Always push to the personal fork. Open PRs aga
 DO NOT force push or use `--amend` on pushed commits unless the user explicitly asks. If the remote branch has new commits, fetch and rebase before pushing.
 
 Always get user approval before external operations such as pushing commits, creating PRs, or posting comments. Use `gh pr create` to open PRs. If `gh` is not installed, generate the GitHub PR URL for the user and recommend installing the GitHub CLI.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md)
+
+Agents that scan this repository should consult `SECURITY.md`
+for the project's threat model, in-scope / out-of-scope
+declarations, and known non-findings before reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000000..de69c20ab2aea
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,22 @@
+# Security policy
+
+## Reporting a vulnerability
+
+To report a security vulnerability in Apache Spark, follow the
+ASF security process at <https://www.apache.org/security/>.
+Reports can be sent privately to security@apache.org or to
+security@spark.apache.org.
+
+## Threat model
+
+Apache Spark's security guidance for operators — covering
+authentication, encryption, access control, Kerberos
+integration, trust boundaries, environmental assumptions,
+security properties provided and not provided, and downstream
+operator responsibilities — is documented at:
+
+<https://spark.apache.org/docs/latest/security.html>
+
+Automated security scanning agents should consult that
+document for the project's in-scope / out-of-scope
+declarations before reporting issues.