Our Security Disclosure Process: How to Report Vulnerabilities
Our Security Disclosure Process: How to Report Vulnerabilities
SafeClaw is a security tool. If there's a vulnerability in SafeClaw itself, the consequences are severe — an agent could bypass the guardrails that users depend on. We take vulnerability reports with the utmost seriousness, and we've built a structured process to handle them quickly and transparently.
Here's how it works.
How to Report
If you've found a security vulnerability in SafeClaw, do not open a public GitHub issue. Public disclosure before a fix is available puts all users at risk.
Instead, report vulnerabilities through our dedicated security channel:
Email: security@authensor.com What to include:- A description of the vulnerability
- Steps to reproduce it
- The affected component (classifier, policy engine, boundary enforcer, etc.)
- Your assessment of the severity
- Any proof-of-concept code
If you're unsure whether something is a security vulnerability or a regular bug, err on the side of caution and use the security channel. We'd rather triage a regular bug through the security process than have a vulnerability disclosed publicly.
Our Response Timeline
We commit to the following timeline for every security report:
Within 24 hours — We acknowledge receipt of your report and assign it to a team member. Within 72 hours — We provide an initial assessment: confirmed vulnerability, needs more investigation, or not a vulnerability (with explanation). Within 7 days — For confirmed vulnerabilities, we have a fix in development and provide an estimated release date. Within 14 days — For most vulnerabilities, a fix is released. Complex issues may take longer, but we communicate timelines proactively. Within 30 days — We publish a security advisory documenting the vulnerability, affected versions, and the fix.These timelines are targets, not guarantees. Exceptionally complex vulnerabilities may take longer, but we communicate transparently throughout.
Severity Classification
We classify vulnerabilities using a simplified severity scale:
Critical — An attacker or agent can bypass SafeClaw's action gating entirely, executing actions without evaluation. These receive immediate attention and an emergency release. High — A specific class of actions can bypass gating under certain conditions (e.g., symlink attacks that evade boundary checks). These receive priority attention and a release within 7 days. Medium — A vulnerability that weakens SafeClaw's protection but doesn't eliminate it (e.g., a risk signal that can be evaded). These are addressed in the next regular release. Low — An issue with minimal security impact (e.g., an information disclosure in a log file that's already protected by filesystem permissions). These are addressed on a best-effort basis.The Fix Process
When we confirm a vulnerability, the fix process follows a defined sequence:
Recognition
We credit security researchers who report vulnerabilities responsibly. Every security advisory includes the reporter's name and affiliation (with their permission). We maintain a security hall of fame on our website for researchers who have helped improve SafeClaw's security.
While we don't currently operate a paid bug bounty program, we're exploring options as the project grows.
Security Audit History
We publish all resolved security advisories on our documentation site. This transparency serves two purposes: it demonstrates that we take security seriously, and it gives users the information they need to evaluate whether their version is affected by known issues.
Our full security policy, including PGP keys for encrypted communication, is in the SECURITY.md file on GitHub.
Security is a process, not a destination. Every vulnerability reported and fixed makes SafeClaw stronger. We're grateful to every researcher who takes the time to report responsibly.