openclaw/SECURITY.md

# Security Policy

If you believe you've found a security issue in OpenClaw, please report it privately.

## Reporting

Report vulnerabilities directly to the repository where the issue lives:

- **Core CLI and gateway** — [openclaw/openclaw](https://github.com/openclaw/openclaw)
- **macOS desktop app** — [openclaw/openclaw](https://github.com/openclaw/openclaw) (apps/macos)
- **iOS app** — [openclaw/openclaw](https://github.com/openclaw/openclaw) (apps/ios)
- **Android app** — [openclaw/openclaw](https://github.com/openclaw/openclaw) (apps/android)
- **ClawHub** — [openclaw/clawhub](https://github.com/openclaw/clawhub)
- **Trust and threat model** — [openclaw/trust](https://github.com/openclaw/trust)

For issues that don't fit a specific repo, or if you're unsure, email **security@openclaw.ai** and we'll route it.

For full reporting instructions see our [Trust page](https://trust.openclaw.ai).

### Required in Reports

1. **Title**
2. **Severity Assessment**
3. **Impact**
4. **Affected Component**
5. **Technical Reproduction**
6. **Demonstrated Impact**
7. **Environment**
8. **Remediation Advice**

Reports without reproduction steps, demonstrated impact, and remediation advice will be deprioritized. Given the volume of AI-generated scanner findings, we must ensure we're receiving vetted reports from researchers who understand the issues.

## Security & Trust

**Jamieson O'Reilly** ([@theonejvo](https://twitter.com/theonejvo)) is Security & Trust at OpenClaw. Jamieson is the founder of [Dvuln](https://dvuln.com) and brings extensive experience in offensive security, penetration testing, and security program development.

## Bug Bounties

OpenClaw is a labor of love. There is no bug bounty program and no budget for paid reports. Please still disclose responsibly so we can fix issues quickly.
The best way to help the project right now is by sending PRs.

## Out of Scope

- Public Internet Exposure
- Using OpenClaw in ways that the docs recommend not to
- Prompt injection attacks

## Operational Guidance

For threat model + hardening guidance (including `openclaw security audit --deep` and `--fix`), see:

- `https://docs.openclaw.ai/gateway/security`

### Web Interface Safety

OpenClaw's web interface is intended for local use only. Do **not** bind it to the public internet; it is not hardened for public exposure.

## Runtime Requirements

### Node.js Version

OpenClaw requires **Node.js 22.12.0 or later** (LTS). This version includes important security patches:

- CVE-2025-59466: async_hooks DoS vulnerability
- CVE-2026-21636: Permission model bypass vulnerability

Verify your Node.js version:

```bash
node --version  # Should be v22.12.0 or later
```

### Docker Security

When running OpenClaw in Docker:

1. The official image runs as a non-root user (`node`) for reduced attack surface
2. Use `--read-only` flag when possible for additional filesystem protection
3. Limit container capabilities with `--cap-drop=ALL`

Example secure Docker run:

```bash
docker run --read-only --cap-drop=ALL \
  -v openclaw-data:/app/data \
  openclaw/openclaw:latest
```

## Security Scanning

This project uses `detect-secrets` for automated secret detection in CI/CD.
See `.detect-secrets.cfg` for configuration and `.secrets.baseline` for the baseline.

Run locally:

```bash
pip install detect-secrets==1.5.0
detect-secrets scan --baseline .secrets.baseline
```
feat(security): expand audit and safe --fix 2026-01-15 05:31:35 +00:00			`# Security Policy`

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`If you believe you've found a security issue in OpenClaw, please report it privately.`
feat(security): expand audit and safe --fix 2026-01-15 05:31:35 +00:00
			`## Reporting`

docs: expand vulnerability reporting guidelines in SECURITY.md 2026-02-10 15:16:42 +11:00			`Report vulnerabilities directly to the repository where the issue lives:`
docs: add security & trust documentation Add threat model (MITRE ATLAS), contribution guide, and security directory README. Update SECURITY.md with trust page reporting instructions and Jamieson O'Reilly as Security & Trust. Co-Authored-By: theonejvo <theonejvo@users.noreply.github.com> 2026-02-08 21:38:42 +11:00
docs: expand vulnerability reporting guidelines in SECURITY.md 2026-02-10 15:16:42 +11:00			`- Core CLI and gateway — [openclaw/openclaw](https://github.com/openclaw/openclaw)`
			`- macOS desktop app — [openclaw/openclaw](https://github.com/openclaw/openclaw) (apps/macos)`
			`- iOS app — [openclaw/openclaw](https://github.com/openclaw/openclaw) (apps/ios)`
			`- Android app — [openclaw/openclaw](https://github.com/openclaw/openclaw) (apps/android)`
			`- ClawHub — [openclaw/clawhub](https://github.com/openclaw/clawhub)`
			`- Trust and threat model — [openclaw/trust](https://github.com/openclaw/trust)`

			`For issues that don't fit a specific repo, or if you're unsure, email security@openclaw.ai and we'll route it.`

			`For full reporting instructions see our [Trust page](https://trust.openclaw.ai).`

			`### Required in Reports`

			`1. Title`
			`2. Severity Assessment`
			`3. Impact`
			`4. Affected Component`
			`5. Technical Reproduction`
			`6. Demonstrated Impact`
			`7. Environment`
			`8. Remediation Advice`

			`Reports without reproduction steps, demonstrated impact, and remediation advice will be deprioritized. Given the volume of AI-generated scanner findings, we must ensure we're receiving vetted reports from researchers who understand the issues.`
docs: add security & trust documentation Add threat model (MITRE ATLAS), contribution guide, and security directory README. Update SECURITY.md with trust page reporting instructions and Jamieson O'Reilly as Security & Trust. Co-Authored-By: theonejvo <theonejvo@users.noreply.github.com> 2026-02-08 21:38:42 +11:00
			`## Security & Trust`

			`Jamieson O'Reilly ([@theonejvo](https://twitter.com/theonejvo)) is Security & Trust at OpenClaw. Jamieson is the founder of [Dvuln](https://dvuln.com) and brings extensive experience in offensive security, penetration testing, and security program development.`
feat(security): expand audit and safe --fix 2026-01-15 05:31:35 +00:00
docs: clarify security scope 2026-01-30 21:51:19 +01:00			`## Bug Bounties`

			`OpenClaw is a labor of love. There is no bug bounty program and no budget for paid reports. Please still disclose responsibly so we can fix issues quickly.`
			`The best way to help the project right now is by sending PRs.`

			`## Out of Scope`

			`- Public Internet Exposure`
			`- Using OpenClaw in ways that the docs recommend not to`
Add prompt injection attacks to out of scope section 2026-01-31 13:17:24 +01:00			`- Prompt injection attacks`
docs: clarify security scope 2026-01-30 21:51:19 +01:00
feat(security): expand audit and safe --fix 2026-01-15 05:31:35 +00:00			`## Operational Guidance`

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			For threat model + hardening guidance (including `openclaw security audit --deep` and `--fix`), see:
feat(security): expand audit and safe --fix 2026-01-15 05:31:35 +00:00
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			- `https://docs.openclaw.ai/gateway/security`
security: apply Agents Council recommendations - Add USER node directive to Dockerfile for non-root container execution - Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636) - Add Docker security best practices documentation - Document detect-secrets usage for local security scanning Reviewed-by: Agents Council (5/5 approval) Security-Score: 8.8/10 Watchdog-Verdict: SAFE WITH CONDITIONS Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-25 20:41:20 -03:00
docs: warn against public web binding 2026-01-27 03:30:26 +00:00			`### Web Interface Safety`

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`OpenClaw's web interface is intended for local use only. Do not bind it to the public internet; it is not hardened for public exposure.`
docs: warn against public web binding 2026-01-27 03:30:26 +00:00
security: apply Agents Council recommendations - Add USER node directive to Dockerfile for non-root container execution - Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636) - Add Docker security best practices documentation - Document detect-secrets usage for local security scanning Reviewed-by: Agents Council (5/5 approval) Security-Score: 8.8/10 Watchdog-Verdict: SAFE WITH CONDITIONS Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-25 20:41:20 -03:00			`## Runtime Requirements`

			`### Node.js Version`

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`OpenClaw requires Node.js 22.12.0 or later (LTS). This version includes important security patches:`
security: apply Agents Council recommendations - Add USER node directive to Dockerfile for non-root container execution - Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636) - Add Docker security best practices documentation - Document detect-secrets usage for local security scanning Reviewed-by: Agents Council (5/5 approval) Security-Score: 8.8/10 Watchdog-Verdict: SAFE WITH CONDITIONS Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-25 20:41:20 -03:00
			`- CVE-2025-59466: async_hooks DoS vulnerability`
			`- CVE-2026-21636: Permission model bypass vulnerability`

			`Verify your Node.js version:`

			```bash
			`node --version # Should be v22.12.0 or later`
			```

			`### Docker Security`

refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`When running OpenClaw in Docker:`
security: apply Agents Council recommendations - Add USER node directive to Dockerfile for non-root container execution - Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636) - Add Docker security best practices documentation - Document detect-secrets usage for local security scanning Reviewed-by: Agents Council (5/5 approval) Security-Score: 8.8/10 Watchdog-Verdict: SAFE WITH CONDITIONS Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-25 20:41:20 -03:00
			1. The official image runs as a non-root user (`node`) for reduced attack surface
			2. Use `--read-only` flag when possible for additional filesystem protection
			3. Limit container capabilities with `--cap-drop=ALL`

			`Example secure Docker run:`

			```bash
			`docker run --read-only --cap-drop=ALL \`
refactor: rename to openclaw 2026-01-30 03:15:10 +01:00			`-v openclaw-data:/app/data \`
			`openclaw/openclaw:latest`
security: apply Agents Council recommendations - Add USER node directive to Dockerfile for non-root container execution - Update SECURITY.md with Node.js version requirements (CVE-2025-59466, CVE-2026-21636) - Add Docker security best practices documentation - Document detect-secrets usage for local security scanning Reviewed-by: Agents Council (5/5 approval) Security-Score: 8.8/10 Watchdog-Verdict: SAFE WITH CONDITIONS Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-01-25 20:41:20 -03:00			```

			`## Security Scanning`

			This project uses `detect-secrets` for automated secret detection in CI/CD.
			See `.detect-secrets.cfg` for configuration and `.secrets.baseline` for the baseline.

			`Run locally:`

			```bash
			`pip install detect-secrets==1.5.0`
			`detect-secrets scan --baseline .secrets.baseline`
			```