| Version | Supported |
|---|---|
| 0.2.x | ✅ |
| < 0.2 | ❌ |
Please do not open a public issue for security vulnerabilities.
Instead, report vulnerabilities privately:
- Email: Send details to the maintainers via the ReScienceLab organization contact
- GitHub: Use private vulnerability reporting
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
- Acknowledgment within 48 hours
- Status update within 7 days
- Fix timeline depends on severity (critical: ASAP, high: 7 days, medium: 30 days)
DAP uses a 3-layer trust model:
- Application layer: Ed25519 signature over canonical JSON payload
- TOFU: First-seen public key is pinned; subsequent messages must match
- Identity binding: agentId is derived from public key (sha256[:32]) — unforgeable
- Ed25519 private keys (
~/.openclaw/dap/identity.json) — never logged or transmitted
- TOFU key mismatch returns 403 with explicit error
- Rate-limited to prevent spam (configurable per-agent window)