If you discover a security issue in ZeroClaw UI, please report it responsibly.

Please do NOT open a public GitHub issue for security findings.

Instead, email: security@zeroclaw.org

Include:

• A description of the issue
• Steps to reproduce (if applicable)
• The potential impact
• Any suggested fixes

• Acknowledgement: Within 48 hours
• Initial assessment: Within 1 week
• Fix or mitigation: Depends on severity, but we aim for prompt resolution

This policy covers the ZeroClaw UI desktop application (zeroclaw-ui). For issues with the ZeroClaw agent runtime itself, please report to the zeroclaw repository.

The following areas are particularly relevant for security review:

• IPC handlers (src/main/ipc/) — bridge between renderer and main process
• CLI wrapper (src/main/lib/cli.ts) — spawns zeroclaw subprocesses
• Config management (src/main/lib/config.ts) — reads/writes config with API keys
• Workspace files (src/main/lib/workspace.ts) — file read/write operations
• MCP server (src/mcp/server.ts) — exposes tools to external MCP clients
• Preload bridge (src/preload/index.ts) — API surface exposed to renderer

We appreciate the efforts of security researchers and will credit reporters (with permission) in release notes when findings are addressed.