feat: defense posture community patterns (CP-1001 — CP-1006)#1669
Open
ppcvote wants to merge 6 commits intoNVIDIA:mainfrom
Open
feat: defense posture community patterns (CP-1001 — CP-1006)#1669ppcvote wants to merge 6 commits intoNVIDIA:mainfrom
ppcvote wants to merge 6 commits intoNVIDIA:mainfrom
Conversation
Six YAML-based community patterns for assessing LLM system prompt defense posture, as discussed in NVIDIA#1666. Each pattern includes: - Probe prompts with attack metadata - Static indicators (regex, <1ms) for hardening score - Behavioral pass/fail criteria for model inference scoring - Calibration metadata for false-refusal correlation - Empirical gap rates from 721 production AI applications Patterns: - CP-1001: Role Boundary Defense (41% gap rate) - CP-1002: System Prompt Data Leakage (59% gap rate) - CP-1003: Multi-Language Bypass Resistance (72% gap rate) - CP-1004: Social Engineering Resistance (82% gap rate) - CP-1005: Output Weaponization Defense (66% gap rate) - CP-1006: Indirect Injection via External Data (96% gap rate) Total hardening score: 0-15 (threshold >= 10 for "adequately hardened") Dataset: doi:10.5281/zenodo.19410475 Ref: NVIDIA#1666
Contributor
|
DCO Assistant Lite bot All contributors have signed the DCO ✍️ ✅ |
Author
|
I have read the DCO Document and I hereby sign the DCO |
Author
|
recheck |
This was referenced Apr 5, 2026
…oduction prompts Previous data incorrectly used HTML analysis of 721 websites as proxy for system prompt defense rates. This update uses actual system prompt analysis from jujumilk3/leaked-system-prompts (n=121). Key changes: - Source: jujumilk3/leaked-system-prompts (not website HTML scans) - Sample: 121 real production system prompts (not 721 website URLs) - All gap rates updated to match actual measurements - Methodology description corrected - Limitations section added to README
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Six YAML-based community patterns for assessing LLM system prompt defense posture, as discussed in #1666.
What this adds:
community_modules/contrib/defense-posture/— 6 patterns + index + READMEPatterns
Average defense score: 36/100. Only 1.1% scored A. 78.3% scored F.
Design
Each pattern supports two scoring modes in one pass:
Data source
1,646 unique production system prompts from 4 public datasets:
Scanned with prompt-defense-audit (deterministic regex, <5ms). Deduplicated by content hash.
Fully reproducible: clone the 4 dataset repos and run the scanner.
Limitations: Regex measures keyword presence, not behavioral resilience. Leaked prompts may be outdated. Selection bias possible. GPT Store prompts (84% of sample) are typically less hardened than platform-level prompts.
Calibration readiness
Each pattern includes `calibration.expected_false_refusal_delta`. The `hardening_score_contribution` fields sum to 15, enabling the "hardening score ≥ 10" threshold analysis discussed in #1666.
Ref: #1666