diff options
| author | Dax Raad <[email protected]> | 2026-01-20 12:17:58 -0500 |
|---|---|---|
| committer | Dax Raad <[email protected]> | 2026-01-20 12:17:58 -0500 |
| commit | b05d88a73012e2f2eeeae1ac92e0be4a9f0864fc (patch) | |
| tree | 2bfb0cd26eceddfefdfa4f1ea71015ceee4af21f /SECURITY.md | |
| parent | a3a06ffc4fd8e9a33bb751643ab37fb69aaca138 (diff) | |
| download | opencode-b05d88a73012e2f2eeeae1ac92e0be4a9f0864fc.tar.gz opencode-b05d88a73012e2f2eeeae1ac92e0be4a9f0864fc.zip | |
docs: clarify that malicious config files are not an attack vector
Diffstat (limited to 'SECURITY.md')
| -rw-r--r-- | SECURITY.md | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/SECURITY.md b/SECURITY.md index 3a653d01c..93c7341ce 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -24,6 +24,7 @@ Server mode is opt-in only. When enabled, set `OPENCODE_SERVER_PASSWORD` to requ | **Sandbox escapes** | The permission system is not a sandbox (see above) | | **LLM provider data handling** | Data sent to your configured LLM provider is governed by their policies | | **MCP server behavior** | External MCP servers you configure are outside our trust boundary | +| **Malicious config files** | Users control their own config; modifying it is not an attack vector | --- |