Security updates are provided for the latest release on the default branch.
If you discover a security vulnerability in ClawHive, please report it responsibly.
Do not open a public GitHub issue for security vulnerabilities.
Instead, email: secops@prosus.com
Include:
- A description of the vulnerability
- Steps to reproduce or a proof-of-concept
- The affected component
- Any potential impact you have identified
| Step | Timeline |
|---|---|
| Acknowledgement of your report | Within 3 business days |
| Initial assessment and severity triage | Within 7 business days |
| Fix development and review | Depends on severity |
| Public disclosure (coordinated with reporter) | After fix is released |
We will work with you to understand the issue and coordinate disclosure. We ask that you give us a reasonable window to address the vulnerability before making it public.
This policy covers:
- Router, admin API, identity, webhook, quota, and security code under
src/ - Build, bootstrap, migration, and runtime scripts under
scripts/ - Dockerfiles,
docker-compose.yml, and related container/runtime configuration - Infrastructure and deployment assets under
infra/ - GitHub workflows and release/build automation
- Documentation and published packages or artifacts
We're happy to credit reporters in our CHANGELOG.md and release notes, unless you prefer to remain anonymous. Let us know your preference when you report.