Incident reporting and response

Last updated Mar 31, 2026

To report a security vulnerability, email security@multiclaw.io with a description of the issue, steps to reproduce, and the affected MultiClaw version. MultiClaw targets acknowledgement within 24 hours and triages all reports within 72 hours. The incident management process is informed by ISO/IEC 27035.

How to report a vulnerability

Email security@multiclaw.io with the following details:

  • Description of the issue: what you found, where it occurs, and what impact it may have.
  • Steps to reproduce: a clear sequence another person could follow to confirm the issue.
  • Affected MultiClaw version: the desktop app version, MultiClaw Cloud, or MultiClaw Chrome Extension version where you observed the issue.
  • Proof-of-concept (if available): screenshots, logs, or sample code that demonstrate the vulnerability.

For vulnerabilities with a CVSS score of 7.0 or higher (High or Critical severity), use the subject line "SECURITY — Critical". This routes the report to the on-call security team for immediate triage.

Note:

CVSS (Common Vulnerability Scoring System) is an industry-standard framework for rating the severity of security vulnerabilities on a scale from 0.0 to 10.0. MultiClaw uses CVSS scores to prioritize response and fix timelines.

Response timelines

MultiClaw targets the following response and resolution timelines after a report is received.

SeverityCVSS rangeTarget resolution
Critical9.0–10.0Patch within 7 days
High7.0–8.9Patch within 30 days
Medium / LowBelow 7.0Scheduled in the next available release

Acknowledgement: MultiClaw targets acknowledgement of all reports within 24 hours of receipt.

Triage: severity classification is targeted for completion within 72 hours.

These timelines are targets, not guarantees. Complex vulnerabilities may require additional time to fix safely without introducing new issues.

What happens during an incident

When a confirmed security incident affects customer data, MultiClaw follows a structured response process:

  1. Containment: the security team identifies the scope of the incident and takes immediate steps to limit further exposure.
  2. Regulatory notification: MultiClaw notifies the relevant supervisory authority (such as the UK ICO) within 72 hours of confirming a personal data breach, as required by GDPR Article 33.
  3. Customer notification: where a breach is likely to result in a high risk to affected individuals, MultiClaw notifies those individuals without undue delay by email, as required by GDPR Article 34.
  4. Status updates: the MultiClaw Cloud status page at status.multiclaw.io is updated as the incident progresses.
  5. Post-incident report: for incidents with customer impact, MultiClaw publishes a post-incident report within 14 days of resolution. The report covers what happened, what data was affected, what steps were taken, and what changes were made to reduce the likelihood of recurrence.

Responsible disclosure

MultiClaw encourages responsible disclosure from security researchers. If you discover a vulnerability, report it through the process above before sharing details publicly. MultiClaw will work with you to understand and address the issue before any public disclosure.

Avoid posting vulnerability details in public forums, issue trackers, or social media until a fix has been released. This protects other users while the team resolves the issue.

Data privacy concerns

For GDPR data subject requests, data breach reports, or questions about how MultiClaw handles your personal data, email privacy@multiclaw.io. MultiClaw responds to data subject requests within one calendar month, as required by GDPR.

See Privacy and data handling for full details on what data MultiClaw collects, retention periods, and your data rights.

Your responsibilities

Security incident response is a shared effort. While MultiClaw handles containment, regulatory notification, and resolution, you play a role in keeping your workspace secure:

  • Report promptly: if you notice unexpected agent behaviour, unauthorized access, or suspicious activity, report it to security@multiclaw.io as soon as possible.
  • Preserve evidence: avoid making changes that could overwrite logs or configuration before the security team has a chance to investigate.
  • Rotate compromised credentials: if you suspect an API key or password has been exposed, rotate it immediately from your agent settings in MultiClaw Cloud.

For a full breakdown of security responsibilities, see Shared responsibility model.

Related articles

Shared responsibility model

What MultiClaw secures versus what you are responsible for as a customer.

Privacy and data handling

MultiClaw collects no telemetry, keeps conversations local by default, and gives you full control over your personal data.

Security overview

MultiClaw protects your data through layered security, TLS encryption in transit, app sandboxing, and a no-telemetry policy.