diff --git a/Build-Security.md b/Build-Security.md
new file mode 100644
index 0000000..edcfbe8
--- /dev/null
+++ b/Build-Security.md
@@ -0,0 +1,2 @@
+1. On execution of ``./gradlew build``, the gradle wrapper downloads the actually required gradle version. This download is protected by SHA-256 verification [integrated by us into Gradle Wrapper](https://github.com/gradle/gradle/pull/448) (see [gradle/wrapper/gradle-wrapper.properties](https://github.com/open-keychain/open-keychain/blob/master/gradle/wrapper/gradle-wrapper.properties)).
+2. All dependencies are either included as git submodules or downloaded from JCenter. JCenter dependencies are verified using SHA-256 by [Gradle Witness](https://github.com/WhisperSystems/gradle-witness) (see [OpenKeychain/build.gradle](https://github.com/open-keychain/open-keychain/blob/master/OpenKeychain/build.gradle)).
\ No newline at end of file