Security updates are applied to the latest release line on the default branch (main). Older tags may not receive backports unless noted in a security advisory.

Please report security issues privately so we can address them before public disclosure.

• Preferred: GitHub private vulnerability reporting (if enabled on the repository).
• Email: [email protected] with subject line [SECURITY] claw-engine.

Include:

• Description of the issue and impact
• Steps to reproduce (proof-of-concept if possible)
• Affected versions or commits (if known)

We aim to acknowledge valid reports within a few business days and will coordinate disclosure once a fix is available.

• Denial-of-service against your own local instance without a clear security boundary issue
• Issues that require physical access or already-compromised machines
• Dependency advisories already tracked by Dependabot / GitHub — please open a normal issue or PR to bump versions unless you believe the project’s usage is uniquely unsafe

Thank you for helping keep users safe.