# Security policy

## Reporting a vulnerability

If you have found a possible vulnerability, please email `security at astral dot sh`.

## Bug bounties

While we sincerely appreciate and encourage reports of suspected security problems, please note that
Astral does not currently run any bug bounty programs.

## Vulnerability disclosures

Critical vulnerabilities will be disclosed via GitHub's
[security advisory](https://github.com/astral-sh/ruff/security) system.