| Version | Supported |
|---|---|
| Latest release | ✅ |
| Previous release | ✅ |
| Older versions | ❌ |
Please do NOT open a public issue for security vulnerabilities.
Instead, report security issues privately via one of the following:
- Email: security@starclaw.me
- GitHub Security Advisories: Report a vulnerability
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment: within 48 hours
- Initial assessment: within 1 week
- Fix release: within 2 weeks for critical issues
StarClaw includes built-in security features:
- AES-256-GCM encryption for sensitive data at rest
- Ed25519 signature authentication for inter-node communication
- Merkle-linked audit chain for tamper-evident logging
- JWT authentication with configurable secret rotation
- RBAC role-based access control
- Sandbox execution for user code with resource limits
- Input validation on all API endpoints
- Always change default secrets — Set unique
JWT_SECRET, database passwords, andSTARCLAW_MASTER_KEY - Use HTTPS — Never expose the API over plain HTTP in production
- Restrict network access — Bind ports to
127.0.0.1and use a reverse proxy - Keep updated — Enable Molt auto-update checks or watch GitHub releases
- Review API keys — Use BYOK (Bring Your Own Key) and rotate regularly