diff --git a/README.md b/README.md
index abb90c9f5..796b970f6 100644
--- a/README.md
+++ b/README.md
@@ -10,4 +10,12 @@ GOV.UK Pay Frontend application (Node.js)
 | CONNECTOR_TOKEN_URL         | X |      | The connector endpoint to use when validating the one time token. |
 | ANALYTICS_TRACKING_ID       | X |      | Tracking ID to be used by 'Google-Analytics'. |
 | SECURE_COOKIE_OFF           |   | false/undefined | To switch off generating secure cookies. Set this to `true` only if you are running self service in a `non HTTPS` environment. |
-| NODE_WORKER_COUNT           |   | 1 | The number of worker threads started by node cluster when run in production mode |
\ No newline at end of file
+| NODE_WORKER_COUNT           |   | 1 | The number of worker threads started by node cluster when run in production mode |
+
+## Licence
+
+[MIT License](LICENSE)
+
+## Responsible Disclosure
+
+GOV.UK Pay aims to stay secure for everyone. If you are a security researcher and have discovered a security vulnerability in this code, we appreciate your help in disclosing it to us in a responsible manner. We will give appropriate credit to those reporting confirmed issues. Please e-mail gds-team-pay-security@digital.cabinet-office.gov.uk with details of any issue you find, we aim to reply quickly.