# Security Policy

## Reporting a Vulnerability

If there are any vulnerabilities in **dotty** project, don't hesitate to _report them_.

1. Use any of the [private contact addresses](https://github.com/stramel).
2. Describe the vulnerability.

- If you have a fix, explain or attach it.
- In the near time, expect a reply with the required steps. Also, there may be a demand for a pull request which include the fixes.

> You should not disclose the vulnerability publicly if you haven't received an answer in some weeks.
> If the vulnerability is rejected, you may post it publicly within some hour of rejection, unless the rejection is withdrawn within that time period.
> After the vulnerability has been fixed, you may disclose the vulnerability details publicly over some days.