From aa0dfcbf584bd98ab31b4652ff8f9da01c500caa Mon Sep 17 00:00:00 2001
From: Mathias Bynens <mathias@qiwi.be>
Date: Wed, 8 Apr 2026 08:57:07 +0200
Subject: [PATCH] chore: add guidelines w.r.t. valid security issues

---
 SECURITY.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/SECURITY.md b/SECURITY.md
index c5bfca281..b8fac9564 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,3 +1,9 @@
 ## Security policy
 
 The Chrome DevTools MCP project takes security very seriously. Please use [Chromium’s process to report security issues](https://www.chromium.org/Home/chromium-security/reporting-security-bugs/).
+
+### Scope
+
+In general, it is the expectation that the AI agent or client using this MCP server validates any input before sending it. The server provides powerful capabilities for browser automation and inspection, and it is the responsibility of the calling agent to ensure these are used safely and as intended.
+
+Several tools in this project have the ability to perform actions such as writing files to disk (e.g., via browser downloads or screenshots) or dynamically loading Chrome extensions. These are intentional, documented features and are not vulnerabilities.