| Version | Supported |
|---|---|
| 3.2.x | ✅ Active support |
| 3.1.x | ✅ Security fixes |
| 3.0.x | |
| < 3.0 | ❌ End of life |
If you discover a security vulnerability in M4STCLAW, please report it responsibly:
- Do NOT open a public GitHub issue
- Email: m4stanuj@users.noreply.github.com
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact assessment
- Suggested fix (if any)
- Acknowledgment: Within 48 hours
- Initial Assessment: Within 5 business days
- Fix & Disclosure: Within 30 days (coordinated disclosure)
M4STCLAW implements the following security controls:
- Localhost-only binding — No external network exposure by default
- Safety guard — All shell commands are validated against destructive patterns before execution
- API key isolation — Keys stored exclusively in
.env, never in source code - Rate limiting — Per-provider request throttling prevents abuse
- Input sanitization — All user inputs are sanitized before LLM processing