doc: clarify wording in SECURITY.md

This commit is contained in:
Armin Ronacher
2026-06-02 17:24:41 +02:00
Unverified
parent e30b1b18d0
commit 0462d44f56
+20 -3
View File
@@ -8,6 +8,14 @@ of the user that is running it. It's the responsibiltiy of the user to monitor
its operations or to contain it within a container, virtual machine or other
Sandbox solution.
Pi treats the local user account and files writable by that account as inside
the same trust boundary as the Pi process itself. If an attacker can modify files
under the user's home directory, workspace, shell startup files, environment, or
Pi configuration, they can generally influence Pi or other local developer tools.
Reports that depend on such prior local write access are not security
vulnerabilities unless they demonstrate how Pi grants that write access or crosses
an operating-system privilege boundary.
Pi relies on users installing trustworthy extensions and loading trustworthy
skills and only to use pi within trusted repositories. This is because files
like `AGENTS.md` or instructions in comments can be used to prompt inject the
@@ -47,9 +55,13 @@ on `pi.dev`.
- Public internet exposure of a Pi installation
- Prompt injection attacks
- Exposed secrets that are third-party/user-controlled credentials
- Reports requiring write access to trusted local state/config (`~/.pi`, workspace
files, `AGENTS.md`, skills/extensions config), unless they show how an attacker
gets that write access.
- Reports requiring the ability to create, modify, delete, or replace files,
directories, symlinks, environment variables, shell configuration, or other
user-controlled local state on the target machine. This includes `~/.pi`,
`~/.pi/agent/models.json`, workspace files, `AGENTS.md`, skills, extensions,
extension configuration, dotfiles, and files synchronized through NFS, roaming
profiles, or dotfile managers, unless the report shows how Pi itself grants
that access.
- Issues caused by intentionally weakened user configuration.
- Resource/DOS claims that require trusted local input/config against the pi coding agent.
- Reports about malicious model output.
@@ -62,6 +74,11 @@ with demonstrated impact. Reports that only show expected local-agent behavior,
prompt injection, or a malicious trusted extension/skill are not security
vulnerabilities under this model.
For example, a report showing that malicious contents written to a trusted Pi
configuration file cause Pi to execute commands, load attacker-controlled tools,
send credentials to an attacker-controlled endpoint, or otherwise change behavior
is out of scope.
When possible, include the exact affected path, package version or commit SHA,
configuration, and a proof of concept against the latest release or latest
`main`. For dependency reports, include evidence that the shipped dependency is