diff --git a/app/.well-known/security.txt b/app/.well-known/security.txt
new file mode 100644
index 000000000..f95ac3c33
--- /dev/null
+++ b/app/.well-known/security.txt
@@ -0,0 +1,2 @@
+Contact: mailto:notify-support@gsa.gov
+Expires: 2035-10-15T23:59:59Z
diff --git a/app/main/views/security_policy.py b/app/main/views/security_policy.py
index 35ffd359e..cb87cfc1c 100644
--- a/app/main/views/security_policy.py
+++ b/app/main/views/security_policy.py
@@ -1,4 +1,4 @@
-from flask import redirect
+from flask import send_from_directory
 
 from app.main import main
 
@@ -6,6 +6,4 @@ from app.main import main
 @main.route("/.well-known/security.txt", methods=["GET"])
 @main.route("/security.txt", methods=["GET"])
 def security_policy():
-    # See GDS Way security policy which this implements
-    # https://gds-way.cloudapps.digital/standards/vulnerability-disclosure.html#vulnerability-disclosure-and-security-txt
-    return redirect("https://vdp.cabinetoffice.gov.uk/.well-known/security.txt")
+    return send_from_directory(".well-known", "security.txt")
diff --git a/tests/app/main/views/test_security_policy.py b/tests/app/main/views/test_security_policy.py
index 61620516d..456724cfa 100644
--- a/tests/app/main/views/test_security_policy.py
+++ b/tests/app/main/views/test_security_policy.py
@@ -11,6 +11,6 @@ import pytest
 def test_security_policy_redirects_to_policy(client_request, url):
     client_request.get_url(
         url,
-        _expected_status=302,
-        _expected_redirect="https://vdp.cabinetoffice.gov.uk/.well-known/security.txt",
+        _test_page_title=False,
+        _expected_status=200,
     )