omx(team): auto-checkpoint worker-4 [unknown]

SECURITY.md

@@ -0,0 +1,49 @@
+# Security Policy
+
+## Supported versions
+
+Security fixes target the current `main` branch and the latest published
+release artifacts when available. Older experimental branches are not supported
+unless a maintainer explicitly marks them as supported.
+
+## Reporting a vulnerability
+
+Please do **not** open a public issue for a suspected vulnerability. Use GitHub
+private vulnerability reporting for `ultraworkers/claw-code` when available, or
+contact a maintainer through the repository's published support channel with a
+minimal, non-destructive reproduction.
+
+Include:
+
+- affected command, crate, or workflow;
+- operating system and shell, especially for Windows/PowerShell path issues;
+- whether live credentials, MCP servers, plugins, or workspace filesystem
+  access are involved;
+- expected impact and any safe proof-of-concept steps.
+
+Do not include real API keys, private prompts, session transcripts with secrets,
+or exploit payloads that modify third-party systems.
+
+## Scope
+
+In scope:
+
+- workspace path traversal or symlink escapes;
+- permission bypasses, sandbox misreporting, or unsafe tool execution;
+- credential disclosure in logs, JSON output, telemetry, docs, or examples;
+- plugin, hook, MCP, provider, or config behavior that can unexpectedly execute
+  code or leak secrets.
+
+Out of scope:
+
+- social engineering;
+- denial-of-service without a practical security impact;
+- issues that require already-compromised local developer credentials;
+- reports against third-party providers or upstream tools without a Claw Code
+  integration issue.
+
+## Handling expectations
+
+Maintainers will acknowledge valid private reports as soon as practical, keep
+discussion private until a fix or mitigation is available, and credit reporters
+when requested and appropriate.