diff --git a/.github/workflows/cla-check.yaml b/.github/workflows/cla-check.yaml
index 9e5702ea..7c49da6e 100644
--- a/.github/workflows/cla-check.yaml
+++ b/.github/workflows/cla-check.yaml
@@ -3,7 +3,7 @@ on: [pull_request]
 
 jobs:
   cla-check:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-24.04
     steps:
       - name: Check if CLA signed
         uses: canonical/has-signed-canonical-cla@v2
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 00000000..237fae77
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,9 @@
+To report a security issue, file a [Private Security
+Report](https://github.com/canonical/ceph-containers/security/advisories) with
+a description of the issue, the steps you took to create the issue, affected
+versions, and, if known, mitigations for the issue.
+
+The [Ubuntu Security disclosure and embargo
+policy](https://ubuntu.com/security/disclosure-policy) contains more
+information about what you can expect when you contact us and what we expect
+from you.