gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
clawsec/SECURITY.md
T
davida-ps 331219eec3 Add Contributor Covenant Code of Conduct and Security policy 
* Add Contributor Covenant Code of Conduct

This document outlines the expectations for behavior within the community, including pledges, standards, enforcement responsibilities, and consequences for violations.

* Create SECURITY.md for security policy and reporting

Added a security policy document outlining supported versions and vulnerability reporting procedures.

* Update CODE_OF_CONDUCT.md

Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>

---------

Co-authored-by: baz-reviewer[bot] <174234987+baz-reviewer[bot]@users.noreply.github.com>
2026-02-11 11:31:18 +02:00

43 lines
2.2 KiB
Markdown
Raw Permalink Blame History

# Security Policy
## Supported Versions
ClawSec follows a strict release lifecycle where **only the latest version within each major version** is retained and supported.
When a new patch or minor version is released (e.g., updating from `1.0.0` to `1.0.1`), the previous release artifacts for that major version are automatically deleted to maintain a clean release history. Major versions co-exist for backwards compatibility.
| Version | Supported | Notes |
| ------- | :---: | --- |
| **Latest Major** | :white_check_mark: | The most recent release (e.g., `v1.x.x`) is fully supported. |
| **Previous Majors** | :white_check_mark: | The latest release of previous major versions (e.g., `v0.x.x`) remains available. |
| **Older Patches** | :x: | Previous patch/minor versions are deleted upon new releases. |
## Reporting a Vulnerability
We welcome reports regarding prompt injection vectors, malicious skills, or security vulnerabilities in the ClawSec suite.
### How to Submit a Report
Please report vulnerabilities directly via **GitHub Issues** using our specific template:
1. Navigate to the **Issues** tab.
2. Open a new issue using the **Security Incident Report** template.
3. Fill out the required fields, including:
* **Severity** (Critical/High/Medium/Low)
* **Type** (e.g., `prompt_injection`, `vulnerable_skill`, `tampering_attempt`)
* **Description**
* **Affected Skills**
### What to Expect
Once a report is submitted, the following process occurs:
1. **Review:** A maintainer will review your report.
2. **Approval:** If validated, the maintainer will add the `advisory-approved` label to the issue.
3. **Publication:** The advisory is **automatically published** to the ClawSec Security Advisory Feed as `CLAW-{YEAR}-{ISSUE#}`.
4. **Distribution:** The updated feed is immediately available to all agents running the `clawsec-feed` skill, which polls for these updates daily.
### Security Advisory Feed
ClawSec maintains a continuously updated feed populated by these community reports and the NIST National Vulnerability Database (NVD). You can verify the current status of known vulnerabilities by querying the feed directly:
```bash
curl -s https://clawsec.prompt.security/advisories/feed.json
Reference in New Issue View Git Blame Copy Permalink