site/src/pages/responsible-disclosure-policy.md
Promptfoo values the security and privacy of our users, customers, and the broader community. We welcome responsible disclosure of vulnerabilities.
This policy covers vulnerabilities in:
For technical details on our security model, trust boundaries, and hardening recommendations, see SECURITY.md on GitHub.
The OSS CLI runs in your environment with your user permissions. It is permissive by default and executes user-configured code (custom assertions, custom or script-based providers, transforms, hooks, plugins, and templates in fields that execute code) without sandboxing.
Treat Promptfoo configuration files and everything they reference or evaluate against as trusted code and data. This includes referenced scripts, prompt packs, test fixtures or datasets, configured providers, models, remote content, and model-output feedback loops. Run untrusted configs, scripts, prompt packs, fixtures, datasets, providers, models, remote content, model-output feedback loops, or pull requests only when the run is isolated and secrets are scoped for that run.
Promptfoo OSS is a local eval runner, not a sandbox for adversarial eval content. Adversarial data flowing through the configured template engine and eval pipeline (e.g., model output in grading prompts, variable values rendered through Nunjucks) is normal operation. However, if a code path outside the configured template engine or user-configured code-executing fields promotes runtime data to code, that is a vulnerability.
In scope for OSS: runtime data promoted to code by a code path outside the configured template engine and user-configured code-executing fields; bypasses of supported isolation boundaries or hardening controls; data or secret leakage to destinations not configured to receive that data or secret.
Out of scope for OSS: adversarial eval content flowing through the configured template engine and eval pipeline; code execution from explicitly configured custom code or templates in fields that execute code; direct local API or browser access to the OSS local server (promptfoo view); and issues requiring users to run untrusted configs, scripts, prompt packs, fixtures, datasets, providers, models, remote content, or model-output feedback loops with local privileges.
Secret persistence or display that remains confined to the same local user account is generally treated as a hardening or privacy issue rather than a security-boundary bypass. It becomes in scope only when Promptfoo bypasses a documented redaction or disable/opt-out control, or uploads, shares, exports, or otherwise exposes that data beyond the same local account.
Promptfoo Cloud operates with higher isolation expectations. The following are in scope and treated as critical:
Do not open a public GitHub issue for security reports.
Report privately via:
Include:
To speed triage, also include:
main)Origin or Sec-Fetch-Site headers from curl or other non-browser clients are not sufficientWe will acknowledge your report within 1 business day and keep you informed throughout remediation.
When researching or disclosing vulnerabilities:
We ask that you keep details private until:
We will work with you to establish a reasonable timeline.
Upon receiving your disclosure, we commit to:
If you act in good faith and follow this policy, we will not pursue legal action against you for security research that:
The following are out-of-scope:
promptfoo view)Origin or Sec-Fetch-Site headers from non-browser clientsIf unsure whether something is in scope, report it anyway.
Thank you for helping protect Promptfoo users.