docs/security/incident-response.md
Security signals come from:
Initial triage:
SECURITY.md's scope and out-of-scope rules.| Severity | Definition |
|---|---|
| Critical | Package/release/repository compromise, active exploitation, or unauthenticated trust-boundary bypass with high-impact control or data exposure. |
| High | Verified trust-boundary bypass requiring limited preconditions (for example, authenticated but unauthorized high-impact action), or exposure of OpenClaw-owned sensitive credentials. |
| Medium | Significant security weakness with practical impact but constrained exploitability or substantial prerequisites. |
| Low | Defense-in-depth findings, narrowly scoped denial-of-service, or hardening/parity gaps without a demonstrated trust-boundary bypass. |
main, then implement and validate a patch with regression coverage.Communicate through GitHub Security Advisories in the affected repository, release notes/changelog entries for fixed versions, and direct reporter follow-up on status and resolution.
Critical/high incidents get coordinated disclosure, with CVE issuance when appropriate. Low-risk hardening findings may be documented in release notes or advisories without a CVE, depending on impact and user exposure.
After shipping the fix: