mirror of
https://github.com/earendil-works/pi.git
synced 2026-06-18 15:54:04 +08:00
doc: clarify wording in SECURITY.md
This commit is contained in:
+20
-3
@@ -8,6 +8,14 @@ of the user that is running it. It's the responsibiltiy of the user to monitor
|
||||
its operations or to contain it within a container, virtual machine or other
|
||||
Sandbox solution.
|
||||
|
||||
Pi treats the local user account and files writable by that account as inside
|
||||
the same trust boundary as the Pi process itself. If an attacker can modify files
|
||||
under the user's home directory, workspace, shell startup files, environment, or
|
||||
Pi configuration, they can generally influence Pi or other local developer tools.
|
||||
Reports that depend on such prior local write access are not security
|
||||
vulnerabilities unless they demonstrate how Pi grants that write access or crosses
|
||||
an operating-system privilege boundary.
|
||||
|
||||
Pi relies on users installing trustworthy extensions and loading trustworthy
|
||||
skills and only to use pi within trusted repositories. This is because files
|
||||
like `AGENTS.md` or instructions in comments can be used to prompt inject the
|
||||
@@ -47,9 +55,13 @@ on `pi.dev`.
|
||||
- Public internet exposure of a Pi installation
|
||||
- Prompt injection attacks
|
||||
- Exposed secrets that are third-party/user-controlled credentials
|
||||
- Reports requiring write access to trusted local state/config (`~/.pi`, workspace
|
||||
files, `AGENTS.md`, skills/extensions config), unless they show how an attacker
|
||||
gets that write access.
|
||||
- Reports requiring the ability to create, modify, delete, or replace files,
|
||||
directories, symlinks, environment variables, shell configuration, or other
|
||||
user-controlled local state on the target machine. This includes `~/.pi`,
|
||||
`~/.pi/agent/models.json`, workspace files, `AGENTS.md`, skills, extensions,
|
||||
extension configuration, dotfiles, and files synchronized through NFS, roaming
|
||||
profiles, or dotfile managers, unless the report shows how Pi itself grants
|
||||
that access.
|
||||
- Issues caused by intentionally weakened user configuration.
|
||||
- Resource/DOS claims that require trusted local input/config against the pi coding agent.
|
||||
- Reports about malicious model output.
|
||||
@@ -62,6 +74,11 @@ with demonstrated impact. Reports that only show expected local-agent behavior,
|
||||
prompt injection, or a malicious trusted extension/skill are not security
|
||||
vulnerabilities under this model.
|
||||
|
||||
For example, a report showing that malicious contents written to a trusted Pi
|
||||
configuration file cause Pi to execute commands, load attacker-controlled tools,
|
||||
send credentials to an attacker-controlled endpoint, or otherwise change behavior
|
||||
is out of scope.
|
||||
|
||||
When possible, include the exact affected path, package version or commit SHA,
|
||||
configuration, and a proof of concept against the latest release or latest
|
||||
`main`. For dependency reports, include evidence that the shipped dependency is
|
||||
|
||||
Reference in New Issue
Block a user