Skip to content

Security: private coordinated disclosure ready (enable PVR or contact @macncrash) #3276

Description

@macncrash

Coordination request (no technical details here)

I have a private coordinated vulnerability report for ultraworkers/claw-code affecting sandbox isolation reporting and permission-mode persistence (HIGH). Report includes full write-up and suggested patches.

Private vulnerability reporting appears disabled on this repository (GET .../private-vulnerability-reportingenabled: false), so I cannot file a GHSA report via the API.

Please either

  1. Enable private vulnerability reporting so I can submit the full package via GitHub Security Advisories, or
  2. Contact @macncrash / macncrash@users.noreply.github.com and I will grant access to the private package repo or re-send the materials.

Private package (invite-only): https://github.com/macncrash/saudit-disclosure-claw-code-2026-07

I will not post exploit details, PoCs, or patches on this public issue.

Reporter: macncrash
AI-assisted analysis; findings human-verified. Local validation only.

Thank you.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions