If you discover a security vulnerability in ClawStash, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please use GitHub Security Advisories to report vulnerabilities privately.

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Assessment: Within 7 days
• Fix: Dependent on severity and complexity

The following are in scope:

• Authentication and authorization bypasses
• SQL injection or other injection attacks
• Cross-site scripting (XSS)
• Sensitive data exposure
• MCP server security issues
• REST API security issues

Thank you for helping keep ClawStash secure.