Security

SECURITY.md

Security Policy

Supported Versions

Security fixes are applied to the latest release line on main.

Reporting a Vulnerability

Do not open public issues for security reports.

Send a private report with:

vulnerability type
affected component/file
reproduction steps
impact assessment
suggested remediation (if available)

Use GitHub Security Advisories for private disclosure:

https://github.com/ychampion/codeclaw/security/advisories/new

If advisories are unavailable for your account context, open a private support request and clearly mark it as a security report.

Response Expectations

Initial triage acknowledgement: within 72 hours
Risk assessment + mitigation plan: as soon as reproducible
Public disclosure: after patch is available and users can upgrade

There aren’t any published security advisories