diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..0a249014b --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,70 @@ +# Security Policy + +This document should guide you about understanding the security concept behind +Pi and also where the boundaries are. + +In general Pi is a coding agent that runs locally within the security boundary +of the user that is running it. It's the responsibiltiy of the user to monitor +its operations or to contain it within a container, virtual machine or other +Sandbox solution. + +Pi relies on users installing trustworthy extensions and loading trustworthy +skills and only to use pi within trusted repositories. This is because files +like `AGENTS.md` or instructions in comments can be used to prompt inject the +coding agent trivially and this cannot be protected against. + +## Reporting a Vulnerability + +If you believe you found a security vulnerability in pi or another package in +this repository, please report it privately by either: + +- Emailing `security@earendil.com`, or +- Opening a private report through GitHub Security Advisories for this repository + +Please include: + +- A description of the issue and its impact +- Steps to reproduce, proof of concept, or relevant logs +- Affected package, version, commit, or configuration +- Any known mitigations + +Do not open a public issue for security-sensitive reports. We will review +reports and coordinate disclosure as appropriate. + +## Scope + +Security issues in the distributed packages, command-line tools, APIs, and +repository code are in scope as well as earendil operated infrastricture +on `pi.dev`. + +## Out Of Scope + +- Local code execution or sandboxing behavior (the Pi coding agent intentionally does not have a sandbox) +- Behavior of pi extensions or skills installed by the user +- Risks from working in untrusted repositories +- Risks from installing untrusted extensions, skills, packages, or tools +- Isuses caused by non trustworthy MITM proxies +- Public internet exposure of a Pi installation +- Prompt injection attacks +- Exposed secrets that are third-party/user-controlled credentials +- Reports requiring write access to trusted local state/config (`~/.pi`, workspace + files, `AGENTS.md`, skills/extensions config), unless they show how an attacker + gets that write access. +- Issues caused by intentionally weakened user configuration. +- Resource/DOS claims that require trusted local input/config against the pi coding agent. +- Reports about malicious model output. +- User-approved or user-initiated local actions presented as vulnerabilities. + +## Notes for Reporters + +The most useful reports show a current, reproducible security boundary bypass +with demonstrated impact. Reports that only show expected local-agent behavior, +prompt injection, or a malicious trusted extension/skill are not security +vulnerabilities under this model. + +When possible, include the exact affected path, package version or commit SHA, +configuration, and a proof of concept against the latest release or latest +`main`. For dependency reports, include evidence that the shipped dependency is +affected and that the issue is reachable through Pi. For exposed-secret reports, +include evidence that the credential is owned by Earendil or grants access to +Earendil-operated infrastructure or services.