eeymoo/claw-code
1
0
Fork 0
mirror of https://github.com/instructkr/claw-code.git synced 2026-04-27 16:24:57 +08:00
Code Issues Packages Projects Releases Wiki Activity

docs: add SECURITY.md responsible-disclosure stub + CONTRIBUTING.md security note

Browse Source
This commit is contained in:
YeonGyu-Kim
2026-04-26 21:01:41 +09:00
parent 580128eddb
commit 672a7f8288
2 changed files with 53 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CONTRIBUTING.md
View File

@@ -2,6 +2,10 @@
Thanks for your interest. This project follows the **gaebal-gajae pinpoint cadence** — see [ROADMAP.md](./ROADMAP.md) for the current pinpoint census. Here's how to contribute effectively.
## Security
For security vulnerabilities, see [SECURITY.md](./SECURITY.md). **Do not file public pinpoints for security issues.**
## Filing a ROADMAP Pinpoint
All feature requests and bug reports go through the pinpoint format (see `ROADMAP.md`). Each pinpoint must have:

49
SECURITY.md Normal file
View File

@@ -0,0 +1,49 @@
# Security Policy
## Supported Versions
This project is pre-1.0 / active development. Only the `main` branch (and the current active feature branch) receives security attention. No LTS commitment exists yet.
| Branch | Supported |
|--------|-----------|
| `main` | ✅ |
| older forks/branches | ❌ |
## Reporting a Vulnerability
**Do not file a public GitHub issue for security vulnerabilities.**
Please use [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) to report privately:
1. Go to the **Security** tab of this repository
2. Click **"Report a vulnerability"**
3. Describe the issue with reproduction steps and impact
We aim to acknowledge within **72 hours** and work toward coordinated disclosure.
## Disclosure Process
1. Report received → acknowledgement within 72h
2. We assess severity and reproduce the issue
3. Fix developed and reviewed privately
4. Fix shipped; advisory published after patch is live
5. Credit given to reporter (unless they prefer anonymity)
## Scope
**In scope:**
- Remote code execution (RCE)
- Authentication or authorization bypass
- Secrets / credentials exfiltration
- Sandbox escape (agent isolation boundary violations)
- Privilege escalation
**Out of scope:**
- Denial of service (DoS/resource exhaustion)
- Social engineering attacks
- Vulnerabilities in third-party dependencies — report those upstream
- Behavior that is working as intended (check ROADMAP.md pinpoints first)
## License
This project is [MIT-licensed](./LICENSE) — provided as-is, without warranty of any kind.