If you discover a security vulnerability in this project, please do not open a public issue. Instead:

1. Email: Send a detailed report to the project maintainer via private message or email (ishakemir454@gmail.com).

2. Include:

   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

3. Response time: We aim to acknowledge reports within 48 hours and provide a fix or mitigation within 7 days for critical issues.

The CUA agent operates inside a Docker container (trycua/cua-xfce), which provides a layer of isolation between the AI agent and the host system:

┌─────────────────────────────────────┐
│  Host Machine                       │
│  ┌───────────────────────────────┐  │
│  │  Docker Container (Sandbox)   │  │
│  │  ┌─────────────────────────┐  │  │
│  │  │  XFCE Desktop (VNC)     │  │  │
│  │  │  Agent actions run HERE │  │  │
│  │  └─────────────────────────┘  │  │
│  └───────────────────────────────┘  │
│  PyQt6 UI + LLM (host-side)        │
└─────────────────────────────────────┘

• The agent cannot access host files, network services, or processes directly.
• All interactions go through the container's REST API on a localhost-only port.
• The container has no privileged access to the host.

The agent uses a vision-language model to interpret screenshots and decide actions. Like all LLM-based systems, it is potentially susceptible to prompt injection attacks:

• Risk: Malicious text displayed on the VM screen could influence the agent's behavior.
• Mitigation: The agent operates in an isolated sandbox, limiting the blast radius. The repeat guard and step limit provide additional boundaries.
• Recommendation: Do not point the agent at untrusted websites or content without supervision.

• The sandbox container runs a full Linux desktop. While isolated, Docker is not a security boundary equivalent to a VM.
• Recommendation: Keep Docker and the container image updated. Do not run the container with --privileged or --net=host flags.

• The container API listens on localhost:8001 by default. It is not exposed to the network.
• The VNC server inside the container is also bound to localhost.
• Recommendation: Do not change port bindings to 0.0.0.0 in production environments.

• The GGUF model is downloaded from HuggingFace on first run. Always verify you are downloading from the intended repository.
• Recommendation: Check the model repository URL in src/config.py before first run.

1. Run in a dedicated environment — Use a separate user account or VM for running the agent.
2. Keep the sandbox updated — Regularly pull the latest container image: docker pull trycua/cua-xfce:latest.
3. Monitor agent actions — Use the Mission Control UI to watch the agent in real-time; stop it if behavior seems unexpected.
4. Limit step count — Keep MAX_STEPS reasonable (default: 20) to prevent runaway executions.
5. Review logs — Check the structured logs after each run; export them via the JSON export feature for auditing.
6. Do not store credentials — Never ask the agent to handle passwords, API keys, or other secrets inside the sandbox.
7. Network isolation — If possible, restrict the container's outbound network access using Docker network policies.

Key dependencies and their security considerations:

• We follow coordinated disclosure — please allow us reasonable time to fix issues before public disclosure.
• Contributors who report valid vulnerabilities will be credited in the release notes (unless they prefer anonymity).
• We do not currently have a bug bounty program.