mirror of
https://github.com/instructkr/claw-code.git
synced 2026-04-28 01:05:01 +08:00
50 lines
1.6 KiB
Markdown
50 lines
1.6 KiB
Markdown
# Security Policy
|
|
|
|
## Supported Versions
|
|
|
|
This project is pre-1.0 / active development. Only the `main` branch (and the current active feature branch) receives security attention. No LTS commitment exists yet.
|
|
|
|
| Branch | Supported |
|
|
|--------|-----------|
|
|
| `main` | ✅ |
|
|
| older forks/branches | ❌ |
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
**Do not file a public GitHub issue for security vulnerabilities.**
|
|
|
|
Please use [GitHub Security Advisories](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) to report privately:
|
|
|
|
1. Go to the **Security** tab of this repository
|
|
2. Click **"Report a vulnerability"**
|
|
3. Describe the issue with reproduction steps and impact
|
|
|
|
We aim to acknowledge within **72 hours** and work toward coordinated disclosure.
|
|
|
|
## Disclosure Process
|
|
|
|
1. Report received → acknowledgement within 72h
|
|
2. We assess severity and reproduce the issue
|
|
3. Fix developed and reviewed privately
|
|
4. Fix shipped; advisory published after patch is live
|
|
5. Credit given to reporter (unless they prefer anonymity)
|
|
|
|
## Scope
|
|
|
|
**In scope:**
|
|
- Remote code execution (RCE)
|
|
- Authentication or authorization bypass
|
|
- Secrets / credentials exfiltration
|
|
- Sandbox escape (agent isolation boundary violations)
|
|
- Privilege escalation
|
|
|
|
**Out of scope:**
|
|
- Denial of service (DoS/resource exhaustion)
|
|
- Social engineering attacks
|
|
- Vulnerabilities in third-party dependencies — report those upstream
|
|
- Behavior that is working as intended (check ROADMAP.md pinpoints first)
|
|
|
|
## License
|
|
|
|
This project is [MIT-licensed](./LICENSE) — provided as-is, without warranty of any kind.
|