# Security Policy
## Supported versions
| 0.x (latest) | ✅ |
## Reporting a vulnerability
We take security issues seriously. **Please do not open a public GitHub issue
for security vulnerabilities.**
Instead, send a detailed report by email to **security@clawdb.io** (or, if
that address is unavailable, directly message a repository owner via GitHub).
Please include:
- A description of the vulnerability and its potential impact.
- Steps to reproduce or a minimal proof-of-concept.
- Affected versions (check `Cargo.toml` for the current version).
- Any suggested mitigations, if known.
## Response timeline
| Initial acknowledgement | 2 business days |
| Severity assessment | 5 business days |
| Fix or mitigation published | 30 days for critical, 90 days for others |
We follow a **coordinated disclosure** model. We ask that reporters give us
reasonable time to address the issue before any public disclosure.
## Scope
This policy covers `claw-core` and its direct dependencies as shipped in this
repository. Issues in transitive dependencies should be reported to the
upstream maintainer; if the issue prevents a safe upgrade please also notify
us so we can assist with the coordination.
## Data protection note
By default, `claw-core` database files are **not encrypted at rest**. Optional
encryption is available only when the `encryption` feature is explicitly
enabled and SQLCipher is correctly configured.
Filesystem ownership, access controls, and host-level disk protections are the
caller's responsibility.
## Out of scope
- Vulnerabilities that require physical access to the host machine.
- Issues in code branches, forks, or modified versions not published by
`@Claw-DB`.
- Theoretical vulnerabilities without a working proof-of-concept.
## Acknowledgements
We are grateful to security researchers who responsibly disclose vulnerabilities.
Credited researchers (with their consent) will be listed in the release notes
for the version that contains the fix.