From 0462d44f5695b49ef6e27ab3cd225219085a5b2b Mon Sep 17 00:00:00 2001 From: Armin Ronacher Date: Tue, 2 Jun 2026 17:24:41 +0200 Subject: [PATCH] doc: clarify wording in SECURITY.md --- SECURITY.md | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 0a249014b..ddd75e14d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -8,6 +8,14 @@ of the user that is running it. It's the responsibiltiy of the user to monitor its operations or to contain it within a container, virtual machine or other Sandbox solution. +Pi treats the local user account and files writable by that account as inside +the same trust boundary as the Pi process itself. If an attacker can modify files +under the user's home directory, workspace, shell startup files, environment, or +Pi configuration, they can generally influence Pi or other local developer tools. +Reports that depend on such prior local write access are not security +vulnerabilities unless they demonstrate how Pi grants that write access or crosses +an operating-system privilege boundary. + Pi relies on users installing trustworthy extensions and loading trustworthy skills and only to use pi within trusted repositories. This is because files like `AGENTS.md` or instructions in comments can be used to prompt inject the @@ -47,9 +55,13 @@ on `pi.dev`. - Public internet exposure of a Pi installation - Prompt injection attacks - Exposed secrets that are third-party/user-controlled credentials -- Reports requiring write access to trusted local state/config (`~/.pi`, workspace - files, `AGENTS.md`, skills/extensions config), unless they show how an attacker - gets that write access. +- Reports requiring the ability to create, modify, delete, or replace files, + directories, symlinks, environment variables, shell configuration, or other + user-controlled local state on the target machine. This includes `~/.pi`, + `~/.pi/agent/models.json`, workspace files, `AGENTS.md`, skills, extensions, + extension configuration, dotfiles, and files synchronized through NFS, roaming + profiles, or dotfile managers, unless the report shows how Pi itself grants + that access. - Issues caused by intentionally weakened user configuration. - Resource/DOS claims that require trusted local input/config against the pi coding agent. - Reports about malicious model output. @@ -62,6 +74,11 @@ with demonstrated impact. Reports that only show expected local-agent behavior, prompt injection, or a malicious trusted extension/skill are not security vulnerabilities under this model. +For example, a report showing that malicious contents written to a trusted Pi +configuration file cause Pi to execute commands, load attacker-controlled tools, +send credentials to an attacker-controlled endpoint, or otherwise change behavior +is out of scope. + When possible, include the exact affected path, package version or commit SHA, configuration, and a proof of concept against the latest release or latest `main`. For dependency reports, include evidence that the shipped dependency is