From 0657d7c772e6f3343fca1c64e5f8625f29cdbb7a Mon Sep 17 00:00:00 2001
From: Jamieson O'Reilly <125909656+theonejvo@users.noreply.github.com>
Date: Tue, 10 Feb 2026 15:16:42 +1100
Subject: [PATCH] docs: expand vulnerability reporting guidelines in
 SECURITY.md

---
 SECURITY.md | 26 ++++++++++++++++++++++++--
 1 file changed, 24 insertions(+), 2 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index ec0ff9f30cf..c3db26fa650 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,9 +4,31 @@ If you believe you've found a security issue in OpenClaw, please report it priva
 
 ## Reporting
 
-For full reporting instructions - including which repo to report to and how - see our [Trust page](https://trust.openclaw.ai).
+Report vulnerabilities directly to the repository where the issue lives:
 
-Include: reproduction steps, impact assessment, and (if possible) a minimal PoC.
+- **Core CLI and gateway** — [openclaw/openclaw](https://github.com/openclaw/openclaw)
+- **macOS desktop app** — [openclaw/openclaw](https://github.com/openclaw/openclaw) (apps/macos)
+- **iOS app** — [openclaw/openclaw](https://github.com/openclaw/openclaw) (apps/ios)
+- **Android app** — [openclaw/openclaw](https://github.com/openclaw/openclaw) (apps/android)
+- **ClawHub** — [openclaw/clawhub](https://github.com/openclaw/clawhub)
+- **Trust and threat model** — [openclaw/trust](https://github.com/openclaw/trust)
+
+For issues that don't fit a specific repo, or if you're unsure, email **security@openclaw.ai** and we'll route it.
+
+For full reporting instructions see our [Trust page](https://trust.openclaw.ai).
+
+### Required in Reports
+
+1. **Title**
+2. **Severity Assessment**
+3. **Impact**
+4. **Affected Component**
+5. **Technical Reproduction**
+6. **Demonstrated Impact**
+7. **Environment**
+8. **Remediation Advice**
+
+Reports without reproduction steps, demonstrated impact, and remediation advice will be deprioritized. Given the volume of AI-generated scanner findings, we must ensure we're receiving vetted reports from researchers who understand the issues.
 
 ## Security & Trust