diff --git a/.gitignore b/.gitignore
index 47f633c5c5..52ec21af7c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -116,3 +116,20 @@ CLAUDE.md
 .rooignore
 .bolt/
 .v0/
+
+# === SECURITY: Credential patterns — added per Issue #5520 ===
+*.pem
+*.key
+*.p12
+*.pfx
+*.jks
+*.keystore
+*.tokencache
+credentials.json
+service-account.json
+.env
+.env.*
+!.env.example
+*.secret
+secrets.yaml
+secrets.yml
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..ea13bcf8f6
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,31 @@
+# Security Policy — Google ADK
+
+## Reporting a Vulnerability
+
+If you discover a security vulnerability in this repository, please report it via:
+
+- Google OSS VRP: https://bughunters.google.com
+- Or open a GitHub Security Advisory
+
+## Credential Handling
+
+**NEVER** commit any of the following to this repository:
+
+- OAuth access tokens (`ya29.*`)
+- API keys (`AIzaSy*`)
+- Service account JSON keys
+- Private keys (`.pem`, `.key`)
+- `.env` files with real credentials
+- Any form of password or secret
+
+Use environment variables or a secrets manager instead.
+
+## Pre-commit Checks
+
+Run before committing:
+```bash
+pip install detect-secrets
+detect-secrets scan --all-files
+```
+
+Reported by: @k4w1992-lgtm | Google Issue: #504158909