Added security file

This commit is contained in:
Armin Ronacher
2026-06-02 17:03:40 +02:00
Unverified
parent 25a4a8ed1e
commit e30b1b18d0
+70
View File
@@ -0,0 +1,70 @@
# Security Policy
This document should guide you about understanding the security concept behind
Pi and also where the boundaries are.
In general Pi is a coding agent that runs locally within the security boundary
of the user that is running it. It's the responsibiltiy of the user to monitor
its operations or to contain it within a container, virtual machine or other
Sandbox solution.
Pi relies on users installing trustworthy extensions and loading trustworthy
skills and only to use pi within trusted repositories. This is because files
like `AGENTS.md` or instructions in comments can be used to prompt inject the
coding agent trivially and this cannot be protected against.
## Reporting a Vulnerability
If you believe you found a security vulnerability in pi or another package in
this repository, please report it privately by either:
- Emailing `security@earendil.com`, or
- Opening a private report through GitHub Security Advisories for this repository
Please include:
- A description of the issue and its impact
- Steps to reproduce, proof of concept, or relevant logs
- Affected package, version, commit, or configuration
- Any known mitigations
Do not open a public issue for security-sensitive reports. We will review
reports and coordinate disclosure as appropriate.
## Scope
Security issues in the distributed packages, command-line tools, APIs, and
repository code are in scope as well as earendil operated infrastricture
on `pi.dev`.
## Out Of Scope
- Local code execution or sandboxing behavior (the Pi coding agent intentionally does not have a sandbox)
- Behavior of pi extensions or skills installed by the user
- Risks from working in untrusted repositories
- Risks from installing untrusted extensions, skills, packages, or tools
- Isuses caused by non trustworthy MITM proxies
- Public internet exposure of a Pi installation
- Prompt injection attacks
- Exposed secrets that are third-party/user-controlled credentials
- Reports requiring write access to trusted local state/config (`~/.pi`, workspace
files, `AGENTS.md`, skills/extensions config), unless they show how an attacker
gets that write access.
- Issues caused by intentionally weakened user configuration.
- Resource/DOS claims that require trusted local input/config against the pi coding agent.
- Reports about malicious model output.
- User-approved or user-initiated local actions presented as vulnerabilities.
## Notes for Reporters
The most useful reports show a current, reproducible security boundary bypass
with demonstrated impact. Reports that only show expected local-agent behavior,
prompt injection, or a malicious trusted extension/skill are not security
vulnerabilities under this model.
When possible, include the exact affected path, package version or commit SHA,
configuration, and a proof of concept against the latest release or latest
`main`. For dependency reports, include evidence that the shipped dependency is
affected and that the issue is reachable through Pi. For exposed-secret reports,
include evidence that the credential is owned by Earendil or grants access to
Earendil-operated infrastructure or services.