If you discover a security vulnerability in DiscoClaw, please report it through GitHub's private vulnerability reporting.

Do not open a public issue for security vulnerabilities.

In scope:

• The DiscoClaw orchestration layer (context assembly, runtime routing, Discord event handling, task scheduling)
• Configuration parsing and validation
• Task/cron subsystem logic

Out of scope:

• Claude Code itself (report to Anthropic)
• Discord API or discord.js (report to Discord or discord.js)
• Anthropic services and APIs

We aim to acknowledge reports within 48 hours and provide a fix or mitigation plan within 7 days for confirmed vulnerabilities.