From 2b665b0e83fb8326f351980e5dc2a82131ee14c0 Mon Sep 17 00:00:00 2001 From: "openclaw-docs-sync[bot]" Date: Sun, 3 May 2026 11:33:24 +0000 Subject: [PATCH] chore(sync): mirror docs from openclaw/openclaw@79f77d877eb430aeeb4efef12c6e4ce4d2815d33 --- .openclaw-sync/source.json | 4 +- docs/security/incident-response.md | 61 ++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 docs/security/incident-response.md diff --git a/.openclaw-sync/source.json b/.openclaw-sync/source.json index 3ac9ab1b0..3f7e6913c 100644 --- a/.openclaw-sync/source.json +++ b/.openclaw-sync/source.json @@ -1,5 +1,5 @@ { "repository": "openclaw/openclaw", - "sha": "1584acb124a8f51a4e65ae57177173a353e2ac83", - "syncedAt": "2026-05-03T11:26:20.342Z" + "sha": "79f77d877eb430aeeb4efef12c6e4ce4d2815d33", + "syncedAt": "2026-05-03T11:31:29.064Z" } diff --git a/docs/security/incident-response.md b/docs/security/incident-response.md new file mode 100644 index 000000000..fedde0c2f --- /dev/null +++ b/docs/security/incident-response.md @@ -0,0 +1,61 @@ +--- +summary: "How OpenClaw triages, responds to, and follows up on security incidents" +title: "Incident response" +read_when: + - Responding to a security report or suspected security incident + - Preparing a coordinated disclosure or patched security release + - Reviewing post-incident follow-up expectations +--- + +# Incident Response + +## 1. Detection and triage + +We monitor security signals from: + +- GitHub Security Advisories (GHSA) and private vulnerability reports. +- Public GitHub issues/discussions when reports are not sensitive. +- Automated signals (for example Dependabot, CodeQL, npm advisories, and secret scanning). + +Initial triage: + +1. Confirm affected component, version, and trust boundary impact. +2. Classify as security issue vs hardening/no-action using the repository `SECURITY.md` scope and out-of-scope rules. +3. An incident owner responds accordingly. + +## 2. Assessment + +Severity guide: + +- **Critical:** Package/release/repository compromise, active exploitation, or unauthenticated trust-boundary bypass with high-impact control or data exposure. +- **High:** Verified trust-boundary bypass requiring limited preconditions (for example authenticated but unauthorized high-impact action), or exposure of OpenClaw-owned sensitive credentials. +- **Medium:** Significant security weakness with practical impact but constrained exploitability or substantial prerequisites. +- **Low:** Defense-in-depth findings, narrowly scoped denial-of-service, or hardening/parity gaps without a demonstrated trust-boundary bypass. + +## 3. Response + +1. Acknowledge receipt to the reporter (private when sensitive). +2. Reproduce on supported releases and latest `main`, then implement and validate a patch with regression coverage. +3. For critical/high incidents, prepare patched release(s) as fast as practical. +4. For medium/low incidents, patch in normal release flow and document mitigation guidance. + +## 4. Communication + +We communicate through: + +- GitHub Security Advisories in the affected repository. +- Release notes/changelog entries for fixed versions. +- Direct reporter follow-up on status and resolution. + +Disclosure policy: + +- Critical/high incidents should receive coordinated disclosure, with CVE issuance when appropriate. +- Low-risk hardening findings may be documented in release notes or advisories without CVE, depending on impact and user exposure. + +## 5. Recovery and follow-up + +After shipping the fix: + +1. Verify remediations in CI and release artifacts. +2. Run a short post-incident review (timeline, root cause, detection gap, prevention plan). +3. Add follow-up hardening/tests/docs tasks and track them to completion.