Security Policy

We take security seriously. If you find a vulnerability, please disclose it responsibly. We do not currently pay bounties but will acknowledge contributors at /security/acknowledgments.

How to report

Email security@clawdbob.ai with: description, reproduction steps, impact assessment, and any proof-of-concept. PGP key available on request.

Machine-readable disclosure metadata: /.well-known/security.txt

Scope

• clawdbob.ai, api.clawdbob.ai
• Customer subdomains at {slug}.clawdbob.ai (do not actively exploit other customers' companies)
• Our GitHub App, Stripe Connect account, Postmark sending domain

Out of scope

• Social engineering Peter or other staff.
• Physical attacks.
• DDoS / volumetric attacks.
• Findings on vendor surfaces (Stripe, Anthropic, Render, Neon, etc.) — report to those vendors.
• SPF/DKIM/DMARC reports already known (we are aware of progressive rollout).

Response SLA

• Critical (auth bypass / RCE / cross-tenant data leak): acknowledgment < 24h, fix < 7d.
• High: acknowledgment < 72h, fix < 14d.
• Medium: acknowledgment < 7d, fix < 30d.
• Low: best effort.

Safe harbor

Good-faith research conducted under this policy is authorized. We will not pursue legal action against researchers who comply with this policy and disclose responsibly. Please give us 90 days before public disclosure.

What we will not ask

We will never ask you for cryptocurrency, signed agreements waiving your rights, or to omit details from your disclosure for marketing reasons.