If you believe you found a security issue in @openclaw/uirouter, report it
privately.
Open a private report through
GitHub Security Advisories
or email security@openclaw.ai.
Include:
- affected version or commit
- runtime and operating system
- minimal reproduction
- demonstrated impact
- suggested remediation, if known
Do not open a public issue until maintainers have coordinated disclosure.
Security issues in scope generally include:
- route matching or redirect behavior that crosses a documented trust boundary
- stale async results overwriting the active route after cancellation
- loader data leaking between route identities or subscribers
- package or release-pipeline compromise affecting the published package
Reports must demonstrate a concrete boundary bypass or impact. Application-level authorization, page rendering, Gateway requests, and navigation policy belong to the consuming application unless this package documents and fails to enforce a specific router invariant.
- Keep
@openclaw/uirouter, Node.js, and browser runtimes current. - Treat route parameters, loader input, and loader output as untrusted data.
- Keep application authorization checks outside the router.
- Pin and review dependency updates before publishing.
There is currently no paid bug bounty program.