At DraftClaw, we take security seriously. If you believe you've found a security vulnerability in our software, please report it to us as described below. We appreciate your efforts to responsibly disclose your findings.

DO NOT create a public GitHub issue for security vulnerabilities.

Instead, please send an email to [INSERT SECURITY EMAIL] with:

1. Description of the vulnerability
2. Steps to reproduce the issue
3. Potential impact of the vulnerability
4. Any suggested fixes (if available)

1. Initial Response: We will acknowledge receipt of your report within 24 hours.
2. Updates: We will keep you informed of the progress towards fixing the vulnerability.
3. Resolution: Once fixed, we will notify you and discuss the timeline for public disclosure.

1. Keep Updated: Always use the latest version of DraftClaw
2. API Keys: Never share your API keys or credentials
3. Local Security: Ensure your machine meets our security requirements
4. Access Control: Follow the principle of least privilege

1. Code Review: All changes undergo security review
2. Dependencies: Keep dependencies up to date
3. Testing: Include security tests where applicable
4. Documentation: Document security implications of changes

• Core DraftClaw software
• Official extensions
• Documentation
• Infrastructure code

• Third-party extensions
• Community plugins
• External services
• User configurations

1. Timeline:

   • Day 0: Initial report received
   • Day 1: Acknowledgment sent
   • Day 7: Initial assessment completed
   • Day 30: Target for fix implementation
   • Day 45: Public disclosure (if appropriate)

2. Public Disclosure:

   • Coordinated with reporter
   • Full credit given to discoverer
   • Technical details released after fix

• All sensitive data is encrypted at rest
• Communication uses secure protocols
• Regular security audits performed
• Access logs maintained

• Strong password requirements
• Multi-factor authentication support
• Session management
• Regular token rotation

Security advisories are published in our Security Advisories section after they have been resolved.

We maintain a hall of fame for security researchers who have helped improve DraftClaw's security. Contributors will be acknowledged (with permission) after the vulnerability has been fixed.