diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 000000000..773a6b5c6
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,7 @@
+# AGENTS.md
+
+## Security
+
+See the [Apache StormCrawler Security Model](https://stormcrawler.apache.org/security/) for the project's
+threat model, trust boundaries, in-scope / out-of-scope declarations, and known non-findings before
+reporting security issues. See also [SECURITY.md](SECURITY.md).
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..1575ab5b4
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,10 @@
+# Security Policy
+
+For the assumptions, trust boundaries, scope, and what Apache StormCrawler considers a security
+vulnerability, see the **[Apache StormCrawler Security Model](https://stormcrawler.apache.org/security/)**.
+
+## Reporting a Vulnerability
+
+Please report security vulnerabilities privately following the
+[ASF security process](https://www.apache.org/security/) — email
+[security@apache.org](mailto:security@apache.org). Do not open public GitHub issues for security reports.
diff --git a/pom.xml b/pom.xml
index 3c8d3e682..433744447 100644
--- a/pom.xml
+++ b/pom.xml
@@ -558,6 +558,8 @@ under the License.
                                 <exclude>NOTICE</exclude>
                                 <exclude>CONTRIBUTING.md</exclude>
                                 <exclude>RELEASING.md</exclude>
+                                <exclude>AGENTS.md</exclude>
+                                <exclude>SECURITY.md</exclude>
                                 <exclude>external/opensearch/dashboards/**</exclude>
                                 <exclude>external/solr/archetype/src/main/resources/archetype-resources/configsets/**</exclude>
                                 <exclude>THIRD-PARTY.properties</exclude>