docs: clarify security scope

2026-01-30 21:51:19 +01:00 · 2026-01-30 21:51:19 +01:00 · 2cdfecdde3
parent 49a3e3795a
commit 2cdfecdde3
1 changed files with 10 additions and 0 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -7,6 +7,16 @@ If you believe you've found a security issue in OpenClaw, please report it priva
 - Email: `steipete@gmail.com`
 - What to include: reproduction steps, impact assessment, and (if possible) a minimal PoC.

+## Bug Bounties
+
+OpenClaw is a labor of love. There is no bug bounty program and no budget for paid reports. Please still disclose responsibly so we can fix issues quickly.
+The best way to help the project right now is by sending PRs.
+
+## Out of Scope
+
+- Public Internet Exposure
+- Using OpenClaw in ways that the docs recommend not to
+
 ## Operational Guidance

 For threat model + hardening guidance (including `openclaw security audit --deep` and `--fix`), see: