Vulnerability Disclosure Policy

Last Updated: March 2026

ClawSecure is committed to the security of our platform, our users, and the broader OpenClaw ecosystem. This vulnerability disclosure policy outlines how security researchers can responsibly report security issues and what to expect from our team.

We welcome responsible security research. If you believe you have discovered a vulnerability in any ClawSecure system, we encourage you to report it to us through the process described below.

Scope of Security Research

The following ClawSecure systems and services are in scope for responsible security research under this policy:

• The clawsecure.ai website and all subdomains
• ClawSecure API endpoints, including scan submission, report retrieval, and the Security Clearance API
• The ClawSecure Watchtower continuous monitoring system
• The public GitHub repository at github.com/ClawSecure/clawsecure-openclaw-security

If you are unsure whether a system is in scope, contact us at security@clawsecure.ai before beginning your research.

Systems and Services Out of Scope

The following are excluded from this vulnerability disclosure policy:

• Third-party services and platforms used by ClawSecure (hosting providers, DNS providers, database services)
• Social engineering attacks against ClawSecure employees or users
• Denial of service (DoS/DDoS) testing
• Physical attacks against ClawSecure infrastructure
• Automated scanning that generates excessive traffic or degrades service for other users
• Any systems or services not listed in the Scope section above

How to Report a Security Vulnerability

Send your report to: security@clawsecure.ai

Please include the following in your report:

• A description of the vulnerability and its potential impact
• Detailed steps to reproduce the issue (proof of concept scripts or screenshots are helpful)
• The URL, endpoint, or component where the vulnerability exists
• Your contact information (optional, but required if you want us to follow up)

Reports may be submitted anonymously. All reports are treated as confidential.

Our Response Commitment

Acknowledgment: We will acknowledge receipt of your vulnerability report within 3 business days.

Assessment: We will investigate and validate the reported vulnerability and keep you informed of our progress.

Resolution: We will work to resolve confirmed vulnerabilities in a timely manner and notify you when the issue has been addressed.

Recognition: With your permission, we will recognize your contribution publicly. If you prefer to remain anonymous, we will respect that.

Safe Harbor for Security Researchers

ClawSecure will not pursue legal action against security researchers who:

• Act in good faith to comply with this policy
• Report vulnerabilities directly to us before any public disclosure
• Avoid violating the privacy of others, disrupting our systems, or destroying data
• Do not exploit a vulnerability beyond what is necessary to demonstrate the issue
• Do not access or modify data belonging to other users

If you follow these guidelines, we consider your research to be authorized. We will not initiate legal action against you related to your research activities conducted under this policy.

Responsible Disclosure Guidelines

We ask that security researchers:

• Give us a reasonable amount of time to investigate and address the vulnerability before any public disclosure
• Coordinate with us on the timing and content of any public disclosure
• Do not publicly disclose vulnerability details until we have confirmed the issue is resolved, or 90 days have passed since your initial report, whichever comes first

Prohibited Activities

When conducting security research under this policy, do not:

• Access, modify, or delete data that does not belong to you
• Degrade the availability or performance of ClawSecure services
• Use findings from this program to extort or threaten ClawSecure or its users
• Conduct research that could harm ClawSecure users or the OpenClaw community

Security Contact

Email: security@clawsecure.ai

This policy is also referenced in our security.txt file. For general information about ClawSecure's security practices, visit our Trust Center. To scan an OpenClaw skill for vulnerabilities, use our free security scanner. To browse audited skills, visit the Skill Discovery Registry.

This policy may be updated from time to time. The most current version will always be available at this URL.