diff --git a/SECURITY.md b/SECURITY.md
index 951387dfe3..435da11190 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -23,3 +23,7 @@ Report security bugs in third-party modules to the person or team maintaining th
 We aim to patch confirmed vulnerabilities within 90 days or less, disclosing the details of those vulnerabilities when a patch is published. We ask that you refrain from sharing your report with others while we work on our patch.
 
 We may want to coordinate an advisory with you to be published simultaneously with the patch, but you are also welcome to self-disclose after 90 days if you prefer. We will never publish information about you or our communications with you without your permission.
+
+## Bounties
+
+Everyone who works on shields is an unpaid volunteer. That includes the core team, contributors and people who report security vulnerabilities. This means we are unable to offer bug or security bounties.