If you discover a security vulnerability in the AIIP protocol specification or reference artifacts, please report it responsibly through GitHub's private security advisory channel:

Report a vulnerability on GitHub

This keeps the report private until a fix is released and coordinated disclosure is complete.

Please include:

• Description of the vulnerability
• Steps to reproduce (if applicable)
• Potential impact assessment
• Suggested fix (if any)

• Acknowledgment: Within 48 hours
• Initial Assessment: Within 7 days
• Resolution Plan: Within 14 days

This security policy covers:

• The AIIP protocol specification (specification/AIIP_Protocol_cn.md)
• The canonical enum registry (specification/registry_cn.md)
• The JSON Schemas (schemas/) and examples (examples/)
• The reference validator and conformance suite (tests/)
• Official documentation in docs/ and docs_cn/

Because AIIP decides whether and why an agent acts, the specification carries an Axiom 0 alignment gate for high-risk intents (§2): every intent passes an Intent Alignment Check (human sovereignty / wellbeing / user-intent consistency / risk level / permission), and every high-risk intent (risk_level = high | critical) MUST pass a human approval gate before its work is generated or run. The machine-checkable validator enforces the high-risk approval gate and emits AIIP_ALIGNMENT_VIOLATION when an intent graded high/critical lacks governance.approval_required = true (or the equivalent permission flag). Reports that defeat these gates are in scope. The threats this layer most cares about:

• Intent poisoning — an attacker (or a compromised upstream signal) plants or mutates an intent so the agent pursues a harmful goal. AIIP requires AI-derived intents to be marked source=agent, gives the explicit user intent the highest priority, and forces every intent through the alignment check; a poisoned high-risk intent still hits the approval gate.
• Intent-target injection — a malicious intent tries to bind work or knowledge to an unauthorized or out-of-scope target, or to escalate risk_level downward to dodge the gate. Risk grading is fail-closed and the approval trigger is keyed off the declared high-risk class, not node-name guesswork.
• Drift exploitation — execution is steered away from the original aim. AIIP raises AIIP_DRIFT_WARNING and routes to request_user_confirmation / revise_intent / regenerate_jobs / pause_execution; defeating the drift signal is in scope.
• Silent revision — hiding that an intent changed. The agent MUST explain any intent revision; suppressing the revision record is in scope.

AIIP is a goal / intent layer, not a runtime or a complete security framework. The following are documented honest limits, not vulnerabilities:

• AIIP does not execute consequential actions — an intent generates an AIJP Work Tree and focuses an AIKP knowledge context; execution is delegated downstream to AIJP → AISOP / AIAP / tools / humans / external services. The safety of the delegated executor (and its authorization against AIAP) is that executor's responsibility, not AIIP's.
• Intent poisoning via derivation is gated and governed, not prevented — the alignment check and approval gate reduce the goal-poisoning / goal-drift surface, but the final judgment of whether an intent is truly aligned is delegated to the implementation (typically an LLM) and the HSAW / AIZP layers — see AIIP_Protocol_cn.md §2 / §6.
• The high-risk trigger is a conservative machine proxy, not a guarantee — the gate fires on the declared coarse risk_level (high/critical); fine-grained action classification is a downstream AIJP concern (execute_with.action_class). The gate forces structural human review but does not certify that a derived intent is actually benign — see registry §17/§18.
• No planner / executor / storage / UI — AIIP defines the intent structure, not the planner algorithm, the executor, the persistence layer, or the UI; automatic intent-derivation algorithms are a deferred candidate, not a shipped guarantee.
• Version history / rollback for intent artifacts is delegated to the host VCS (local git) and off-site copies, not reinvented in JSON.

We follow a coordinated disclosure process. Please do not publicly disclose vulnerabilities until a fix has been released and announced.

Align Axiom 0: Human Sovereignty and Wellbeing. AIIP v0.1.0. www.aiip.dev