1*2bf66424SCole Faust# Security Policy 2*2bf66424SCole Faust 3*2bf66424SCole FaustLast Updated: 2020-03-21 4*2bf66424SCole Faust 5*2bf66424SCole Faust## Reporting a Vulnerability 6*2bf66424SCole Faust 7*2bf66424SCole FaustIn unlikely event of finding a security vulnerability directly relating to `jackson-annotations` 8*2bf66424SCole Faustpackage -- unlikely, as there is very little code in this package -- 9*2bf66424SCole Faustthe recommended mechanism for reporting possible security vulnerabilities follows 10*2bf66424SCole Faustso-called "Coordinated Disclosure Plan" (see [definition of DCP](https://vuls.cert.org/confluence/display/Wiki/Coordinated+Vulnerability+Disclosure+Guidance) 11*2bf66424SCole Faustfor general idea). The first step is to file a [Tidelift security contact](https://tidelift.com/security): 12*2bf66424SCole FaustTidelift will route all reports via their system to maintainers of relevant package(s), and start the 13*2bf66424SCole Faustprocess that will evaluate concern and issue possible fixes, send update notices and so on. 14*2bf66424SCole FaustNote that you do not need to be a Tidelift subscriber to file a security contact. 15*2bf66424SCole Faust 16