Security & Vulnerability Disclosure

Security is at the core of HexaClaw. We take the security of our products, infrastructure, and users seriously. We welcome and appreciate responsible disclosure of vulnerabilities from security researchers and the broader community.

Our Guardian security engine is continuously updated with new detection rules and our infrastructure undergoes regular security reviews. Despite our best efforts, no software is perfect. If you discover a vulnerability, we want to hear about it.

Please report security vulnerabilities to:

Please include the following in your report:

• A description of the vulnerability and its potential impact
• Detailed steps to reproduce the issue (proof of concept if possible)
• The affected component (Cloud API Platform, Guardian, website, desktop app, CLI, skills, credit system, BYOK)
• Your assessment of severity (Critical, High, Medium, Low)
• Any suggested remediation (optional but appreciated)
• Your name or handle for attribution (optional)

Do not report security vulnerabilities through public GitHub issues, social media, or other public channels.

We are committed to responding promptly to vulnerability reports:

We will keep you informed of our progress throughout the remediation process.

In Scope

• hexaclaw.com and all subdomains
• HexaClaw desktop application (macOS)
• HexaClaw CLI and Gateway
• Cloud API Platform (LLM proxy, authentication, billing, rate limiting, credit system)
• API key provisioning and device linking endpoints
• BYOK (Bring Your Own Key) authentication flow
• Guardian security engine (rules, heuristics, ML classifier)
• Guardian Cloud API
• Install scripts and configuration tools
• Official curated skill packs

Out of Scope

• Third-party skills not included in official curated packs
• Third-party services we integrate with (Stripe, Firebase, Google Cloud) -- report these to the respective vendors
• Social engineering attacks against HexaClaw employees
• Physical security of our infrastructure
• Denial-of-service attacks
• Vulnerabilities in upstream OpenClaw or Pi-Mono that do not affect HexaClaw-specific functionality

We consider good-faith security research conducted in accordance with this policy to be:

• Authorized and lawful under applicable anti-hacking laws
• Authorized and lawful under applicable anti-circumvention laws
• Exempt from restrictions in our Terms of Service and Acceptable Use Policy that would otherwise prohibit the research activity

We will not initiate legal action against researchers who:

• Act in good faith and comply with this policy
• Do not access, modify, or delete data belonging to other users
• Stop testing and report promptly upon discovering a vulnerability
• Do not exploit the vulnerability beyond what is necessary for demonstration
• Provide us reasonable time to remediate before any public disclosure

If legal action is initiated by a third party against you for activities conducted in compliance with this policy, we will make reasonable efforts to make it known that your actions were conducted in accordance with our policy.

We follow a coordinated disclosure approach:

• We request a 90-day disclosure window from the time of your initial report to allow us to develop and deploy a fix
• We will work with you to agree on a disclosure date
• If we are unable to resolve the issue within 90 days, we will coordinate with you on an appropriate disclosure timeline
• We will credit researchers (by name or handle, per your preference) in any public security advisories related to their findings

Security reports: security@hexaclaw.com

General security questions: hello@hexaclaw.com

We aim to acknowledge all security reports within 48 hours. If you do not receive a response within that timeframe, please follow up or contact hello@hexaclaw.com as a secondary channel.