1# Security Policy 2 3Last Updated: 2020-03-21 4 5## Reporting a Vulnerability 6 7In unlikely event of finding a security vulnerability directly relating to `jackson-annotations` 8package -- unlikely, as there is very little code in this package -- 9the recommended mechanism for reporting possible security vulnerabilities follows 10so-called "Coordinated Disclosure Plan" (see [definition of DCP](https://vuls.cert.org/confluence/display/Wiki/Coordinated+Vulnerability+Disclosure+Guidance) 11for general idea). The first step is to file a [Tidelift security contact](https://tidelift.com/security): 12Tidelift will route all reports via their system to maintainers of relevant package(s), and start the 13process that will evaluate concern and issue possible fixes, send update notices and so on. 14Note that you do not need to be a Tidelift subscriber to file a security contact. 15 16