diff --git a/.github/SECURITY.md b/.github/SECURITY.md
index 3a2ccda92d..83f7041e30 100644
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@@ -2,6 +2,13 @@
 
 Please file a private vulnerability report via GitHub, email [@ljharb](https://github.com/ljharb), or see https://tidelift.com/security if you have a potential security vulnerability to report.
 
+## Escalation
+
+If you do not receive an acknowledgement of your report within 6 business days, or if you cannot find a private security contact for the project, you may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`.
+
+If the project acknowledges your report but does not provide any further response or engagement within 14 days, escalation is also appropriate.
+
+
 ## OpenSSF CII Best Practices
 
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/684/badge)](https://bestpractices.coreinfrastructure.org/projects/684)