Security
Responsible disclosure
If you believe you have found a vulnerability that affects the CoClaw website or its tooling, we appreciate responsible disclosure.
Last updated: March 11, 2026
What to include
- A clear description of the issue and potential impact
- Steps to reproduce (or a proof of concept)
- Affected URLs, parameters, and environments
- Logs or screenshots (redact secrets)
Scope
coclaw.com and its hosted web application code, including pages and tools served from coclaw.com (for example, the Config Generator).
Third-party services we link to (GitHub, Discord, etc.) and the OpenClaw project itself.
Please do not access or modify data that does not belong to you. Redact secrets in all reports.
Response timeline
Best effort: we aim to acknowledge reports within 1-2 days and will keep you updated as we investigate and remediate.
Please do not
- Publicly disclose the issue before we have a chance to fix it.
- Run denial-of-service attacks or automated scanning that harms availability.
- Exfiltrate data or attempt privilege escalation beyond what is needed to demonstrate impact.
Safe harbor
If you make a good-faith effort to follow this policy, we will not pursue legal action against you for your security research. Please minimize disruption and respect user privacy.