diff --git a/NEWS b/NEWS
index 549efaac..30e69828 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@
* #289: Tired of looking up the latest successful archive name in order to pass it to borgmatic
actions? Me too. Now you can specify "--archive latest" to all actions that accept an archive
flag.
+ * Add security policy documentation in SECURITY.md.
1.5.0
* #245: Monitor backups with PagerDuty hook integration. See the documentation for more
diff --git a/README.md b/README.md
index b2ba6e0a..c5ef67a4 100644
--- a/README.md
+++ b/README.md
@@ -119,7 +119,12 @@ If you'd like to chat with borgmatic developers or users, head on over to the
href="https://webchat.freenode.net/?channels=borgmatic">web chat or a
native IRC client.
-Other questions or comments? Contact .
+Also see the [security
+policy](https://torsion.org/borgmatic/docs/security-policy/) for any security
+issues.
+
+Other questions or comments? Contact
+[witten@torsion.org](mailto:witten@torsion.org).
### Contributing
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..81a633e7
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,19 @@
+---
+title: Security policy
+permalink: security-policy/index.html
+---
+
+## Supported versions
+
+While we want to hear about security vulnerabilities in all versions of
+borgmatic, security fixes will only be made to the most recently released
+version. It's not practical for our small volunteer effort to maintain
+multiple different release branches and put out separate security patches for
+each.
+
+## Reporting a vulnerability
+
+If you find a security vulnerability, please [file a
+ticket](https://torsion.org/borgmatic/#issues) or [send email
+directly](mailto:witten@torsion.org) as appropriate. You should expect to hear
+back within a few days at most, and generally sooner.
diff --git a/docs/Dockerfile b/docs/Dockerfile
index 9512154f..42bfade2 100644
--- a/docs/Dockerfile
+++ b/docs/Dockerfile
@@ -1,4 +1,4 @@
-FROM python:3.7.4-alpine3.10 as borgmatic
+FROM python:3.8.1-alpine3.11 as borgmatic
COPY . /app
RUN pip install --no-cache /app && generate-borgmatic-config && chmod +r /etc/borgmatic/config.yaml
@@ -7,7 +7,7 @@ RUN borgmatic --help > /command-line.txt \
echo -e "\n--------------------------------------------------------------------------------\n" >> /command-line.txt \
&& borgmatic "$action" --help >> /command-line.txt; done
-FROM node:12.10.0-alpine as html
+FROM node:13.7.0-alpine as html
ARG ENVIRONMENT=production
diff --git a/docs/SECURITY.md b/docs/SECURITY.md
new file mode 100644
index 00000000..81a633e7
--- /dev/null
+++ b/docs/SECURITY.md
@@ -0,0 +1,19 @@
+---
+title: Security policy
+permalink: security-policy/index.html
+---
+
+## Supported versions
+
+While we want to hear about security vulnerabilities in all versions of
+borgmatic, security fixes will only be made to the most recently released
+version. It's not practical for our small volunteer effort to maintain
+multiple different release branches and put out separate security patches for
+each.
+
+## Reporting a vulnerability
+
+If you find a security vulnerability, please [file a
+ticket](https://torsion.org/borgmatic/#issues) or [send email
+directly](mailto:witten@torsion.org) as appropriate. You should expect to hear
+back within a few days at most, and generally sooner.
diff --git a/docs/how-to/backup-to-a-removable-drive-or-an-intermittent-server.md b/docs/how-to/backup-to-a-removable-drive-or-an-intermittent-server.md
index a38b3dc3..4ab1b03e 100644
--- a/docs/how-to/backup-to-a-removable-drive-or-an-intermittent-server.md
+++ b/docs/how-to/backup-to-a-removable-drive-or-an-intermittent-server.md
@@ -10,7 +10,7 @@ buddy's sometimes-online server for that extra level of redundancy.
But if you run borgmatic and your hard drive isn't plugged in, or your buddy's
server is offline, then you'll get an annoying error message and the overall
-borgmatic run will fail (even if individual repositories complete just fine).
+borgmatic run will fail (even if individual repositories still complete).
So what if you want borgmatic to swallow the error of a missing drive
or an offline server, and continue trucking along? That's where the concept of
@@ -96,7 +96,7 @@ There are some caveats you should be aware of with this feature.
a test to make sure that individual source directories are mounted and
available. Use your imagination!
* The soft failure feature also works for `before_prune`, `after_prune`,
- `before_check`, and `after_check` hooks. However it is not implemented for
+ `before_check`, and `after_check` hooks. But it is not implemented for
`before_everything` or `after_everything`.
## Related documentation