diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000000..f3ecd61a17
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,5 @@
+# Security Policy
+
+For a more in-depth look at our security policy, please check out our [Coordinated Vulnerability Disclosure Policy](https://openai.com/security/disclosure/#:~:text=Disclosure%20Policy,-Security%20is%20essential&text=OpenAI%27s%20coordinated%20vulnerability%20disclosure%20policy,expect%20from%20us%20in%20return.).
+
+Our PGP key can located [at this address.](https://cdn.openai.com/security.txt)
diff --git a/src/agents/mcp/server.py b/src/agents/mcp/server.py
index be595f11c5..8d3bdd752a 100644
--- a/src/agents/mcp/server.py
+++ b/src/agents/mcp/server.py
@@ -1297,8 +1297,9 @@ def create_streams(
         }
         if "auth" in self.params:
             kwargs["auth"] = self.params["auth"]
-        if "httpx_client_factory" in self.params:
-            kwargs["httpx_client_factory"] = self.params["httpx_client_factory"]
+        kwargs["httpx_client_factory"] = (
+            self.params.get("httpx_client_factory") or _create_default_streamable_http_client
+        )
         return sse_client(**kwargs)
 
     @property
diff --git a/tests/mcp/test_mcp_auth_params.py b/tests/mcp/test_mcp_auth_params.py
index 14f52faf1e..ebc6c1934e 100644
--- a/tests/mcp/test_mcp_auth_params.py
+++ b/tests/mcp/test_mcp_auth_params.py
@@ -16,7 +16,7 @@ class TestMCPServerSseAuthAndFactory:
 
     @pytest.mark.asyncio
     async def test_sse_default_no_auth_no_factory(self):
-        """SSE create_streams passes only the four base params when no extras are set."""
+        """SSE create_streams falls back to the hardened default httpx_client_factory."""
         with patch("agents.mcp.server.sse_client") as mock_client:
             mock_client.return_value = MagicMock()
             server = MCPServerSse(params={"url": "http://localhost:8000/sse"})
@@ -26,11 +26,12 @@ async def test_sse_default_no_auth_no_factory(self):
                 headers=None,
                 timeout=5,
                 sse_read_timeout=300,
+                httpx_client_factory=_create_default_streamable_http_client,
             )
 
     @pytest.mark.asyncio
     async def test_sse_with_auth(self):
-        """SSE create_streams forwards the auth parameter when provided."""
+        """SSE create_streams forwards auth and still applies the hardened default factory."""
         auth = httpx.BasicAuth(username="user", password="pass")
         with patch("agents.mcp.server.sse_client") as mock_client:
             mock_client.return_value = MagicMock()
@@ -42,6 +43,7 @@ async def test_sse_with_auth(self):
                 timeout=5,
                 sse_read_timeout=300,
                 auth=auth,
+                httpx_client_factory=_create_default_streamable_http_client,
             )
 
     @pytest.mark.asyncio