mirror of
https://github.com/earendil-works/pi.git
synced 2026-06-18 15:54:04 +08:00
doc: clarify wording in SECURITY.md
This commit is contained in:
+20
-3
@@ -8,6 +8,14 @@ of the user that is running it. It's the responsibiltiy of the user to monitor
|
|||||||
its operations or to contain it within a container, virtual machine or other
|
its operations or to contain it within a container, virtual machine or other
|
||||||
Sandbox solution.
|
Sandbox solution.
|
||||||
|
|
||||||
|
Pi treats the local user account and files writable by that account as inside
|
||||||
|
the same trust boundary as the Pi process itself. If an attacker can modify files
|
||||||
|
under the user's home directory, workspace, shell startup files, environment, or
|
||||||
|
Pi configuration, they can generally influence Pi or other local developer tools.
|
||||||
|
Reports that depend on such prior local write access are not security
|
||||||
|
vulnerabilities unless they demonstrate how Pi grants that write access or crosses
|
||||||
|
an operating-system privilege boundary.
|
||||||
|
|
||||||
Pi relies on users installing trustworthy extensions and loading trustworthy
|
Pi relies on users installing trustworthy extensions and loading trustworthy
|
||||||
skills and only to use pi within trusted repositories. This is because files
|
skills and only to use pi within trusted repositories. This is because files
|
||||||
like `AGENTS.md` or instructions in comments can be used to prompt inject the
|
like `AGENTS.md` or instructions in comments can be used to prompt inject the
|
||||||
@@ -47,9 +55,13 @@ on `pi.dev`.
|
|||||||
- Public internet exposure of a Pi installation
|
- Public internet exposure of a Pi installation
|
||||||
- Prompt injection attacks
|
- Prompt injection attacks
|
||||||
- Exposed secrets that are third-party/user-controlled credentials
|
- Exposed secrets that are third-party/user-controlled credentials
|
||||||
- Reports requiring write access to trusted local state/config (`~/.pi`, workspace
|
- Reports requiring the ability to create, modify, delete, or replace files,
|
||||||
files, `AGENTS.md`, skills/extensions config), unless they show how an attacker
|
directories, symlinks, environment variables, shell configuration, or other
|
||||||
gets that write access.
|
user-controlled local state on the target machine. This includes `~/.pi`,
|
||||||
|
`~/.pi/agent/models.json`, workspace files, `AGENTS.md`, skills, extensions,
|
||||||
|
extension configuration, dotfiles, and files synchronized through NFS, roaming
|
||||||
|
profiles, or dotfile managers, unless the report shows how Pi itself grants
|
||||||
|
that access.
|
||||||
- Issues caused by intentionally weakened user configuration.
|
- Issues caused by intentionally weakened user configuration.
|
||||||
- Resource/DOS claims that require trusted local input/config against the pi coding agent.
|
- Resource/DOS claims that require trusted local input/config against the pi coding agent.
|
||||||
- Reports about malicious model output.
|
- Reports about malicious model output.
|
||||||
@@ -62,6 +74,11 @@ with demonstrated impact. Reports that only show expected local-agent behavior,
|
|||||||
prompt injection, or a malicious trusted extension/skill are not security
|
prompt injection, or a malicious trusted extension/skill are not security
|
||||||
vulnerabilities under this model.
|
vulnerabilities under this model.
|
||||||
|
|
||||||
|
For example, a report showing that malicious contents written to a trusted Pi
|
||||||
|
configuration file cause Pi to execute commands, load attacker-controlled tools,
|
||||||
|
send credentials to an attacker-controlled endpoint, or otherwise change behavior
|
||||||
|
is out of scope.
|
||||||
|
|
||||||
When possible, include the exact affected path, package version or commit SHA,
|
When possible, include the exact affected path, package version or commit SHA,
|
||||||
configuration, and a proof of concept against the latest release or latest
|
configuration, and a proof of concept against the latest release or latest
|
||||||
`main`. For dependency reports, include evidence that the shipped dependency is
|
`main`. For dependency reports, include evidence that the shipped dependency is
|
||||||
|
|||||||
Reference in New Issue
Block a user