|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +| Version | Supported | |
| 6 | +|---------|-----------| |
| 7 | +| Latest (`main`) | Yes | |
| 8 | +| Older releases | No — please update to `main` | |
| 9 | + |
| 10 | +ClawEDR does not use versioned releases at this time. The `main` branch is the supported version. Compiled policy artifacts in `deploy/` are regenerated on every push. |
| 11 | + |
| 12 | +## Reporting a Vulnerability |
| 13 | + |
| 14 | +**Please do not open a public GitHub issue for security vulnerabilities.** |
| 15 | + |
| 16 | +Report vulnerabilities privately by emailing **security@clawedr.io** (or, if that address is unavailable, by using [GitHub's private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability) on this repository). |
| 17 | + |
| 18 | +Include in your report: |
| 19 | +- A clear description of the vulnerability and its impact |
| 20 | +- Steps to reproduce or a proof-of-concept |
| 21 | +- The component affected (`bpf_hooks.c`, `monitor.py`, policy compiler, dashboard, etc.) |
| 22 | +- Any suggested mitigations you have identified |
| 23 | + |
| 24 | +You will receive an acknowledgement within **48 hours** and a status update within **7 days**. We aim to ship a fix within **14 days** for critical issues. |
| 25 | + |
| 26 | +We do not operate a bug bounty program at this time, but we will credit researchers in the fix commit and changelog unless you prefer to remain anonymous. |
| 27 | + |
| 28 | +## Scope |
| 29 | + |
| 30 | +The following are considered in-scope: |
| 31 | + |
| 32 | +- **Policy bypass** — any technique that allows a monitored process to execute a blocked binary, access a blocked path, or connect to a blocked domain without triggering enforcement |
| 33 | +- **Privilege escalation** — vulnerabilities that allow an unprivileged process to escalate to root through ClawEDR's components (monitor daemon, dashboard, installer) |
| 34 | +- **Dashboard injection / auth bypass** — XSS, CSRF, or unauthenticated access to the FastAPI dashboard (port 8477) |
| 35 | +- **Policy tampering** — weaknesses in the HMAC policy signature that allow undetected modification of `compiled_policy.json` |
| 36 | +- **Audit log integrity** — bypasses to the HMAC-chained audit log that allow undetected deletion or modification of entries |
| 37 | +- **Output scanner / injection detector evasion** — inputs that smuggle secrets or prompt-injection payloads past the pattern library without triggering a match |
| 38 | + |
| 39 | +The following are considered out-of-scope: |
| 40 | + |
| 41 | +- Attacks requiring physical access to the host machine |
| 42 | +- Denial-of-service against the monitoring daemon without code execution |
| 43 | +- Issues in third-party dependencies not introduced by this project |
| 44 | +- The threat model does not cover a fully compromised host kernel |
| 45 | + |
| 46 | +## Threat Model |
| 47 | + |
| 48 | +ClawEDR is designed to contain a **compromised or misbehaving AI coding agent**, not a human attacker with shell access. |
| 49 | + |
| 50 | +**What ClawEDR protects against:** |
| 51 | +- An agent executing dangerous binaries (`nmap`, `nc`, `curl` to untrusted destinations, etc.) |
| 52 | +- An agent reading or writing sensitive paths (`~/.ssh`, `/etc/passwd`, credential files) |
| 53 | +- An agent making outbound connections to blocked domains or IPs |
| 54 | +- Prompt-injection attacks embedded in tool results or file content flowing into the agent |
| 55 | +- Secrets and PII surfaced in LLM output before reaching the user |
| 56 | + |
| 57 | +**What ClawEDR does not protect against:** |
| 58 | +- A human attacker with root access to the host — enforcement runs as root and can be terminated |
| 59 | +- Kernel exploits that bypass eBPF / Seatbelt enforcement |
| 60 | +- Agents that modify ClawEDR's own policy files before the monitor loads them (file integrity is checked via HMAC, but a root-capable attacker can regenerate the HMAC) |
| 61 | +- macOS enforcement gaps during the brief window before `sandbox-exec` wraps the agent process |
| 62 | + |
| 63 | +## Security Architecture Notes |
| 64 | + |
| 65 | +**eBPF enforcement (Linux):** Policy is enforced in-kernel via BPF programs loaded by `monitor.py`. The BPF programs run in the kernel's verifier-checked sandbox. The monitor must run as root to load BPF programs; the monitored agent process does not require elevated privileges. |
| 66 | + |
| 67 | +**Seatbelt enforcement (macOS):** The compiled `.sb` profile is passed to `sandbox-exec` at agent launch. Violations are denied by the kernel before the syscall completes. |
| 68 | + |
| 69 | +**Policy authenticity:** `compiled_policy.json` is HMAC-signed at compile time. The monitor verifies the signature on load and on every hot-reload. A policy file with an invalid signature is rejected. |
| 70 | + |
| 71 | +**Audit log integrity:** Alert events are written to an HMAC-chained audit log. Each entry includes a MAC over the previous entry's hash, making undetected deletion or reordering detectable. |
| 72 | + |
| 73 | +**Dashboard:** The web UI binds to `127.0.0.1:8477` by default and has no authentication. It is intended for local use only. Do not expose port 8477 to untrusted networks. |
| 74 | + |
| 75 | +**User rules:** Per-user exemptions (`~/.clawedr/user_rules.yaml`) are loaded with lower precedence than the compiled policy and cannot grant permissions that exceed the compiled policy's allow-list. |
0 commit comments