diff --git a/README.md b/README.md
index 4f8beae..28192ac 100644
--- a/README.md
+++ b/README.md
@@ -29,6 +29,14 @@ jobs:
 | `crate` | ✓        | Name of crate as published to crates.io      |
 | `bin`   |          | Name of binary; default = same as crate name |
 
+## Security
+
+Binaries are cryptographically signed and verified using [GitHub artifact
+attestation] to establish the build's provenance, including the specific
+workflow file and workflow run that produced the artifact.
+
+[GitHub artifact attestation]: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds
+
 ## License
 
 The scripts and documentation in this project are released under the [MIT