Skip to content

Create security.md #253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Create security.md #253

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d38dc6b
Create security.md
d-a-v-i-- Mar 5, 2021
f68c8b7
Update security.md
timea-solid Jan 24, 2023
f51dcc1
Update security.md
timea-solid Jan 24, 2023
351dd5b
Update security.md
timea-solid Jan 24, 2023
515177c
Update security.md
timea-solid Jan 24, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
### Security Vulnerability Reporting
The Product Security Incident Response Team (PSIRT) at Solid acknowledges the valuable role researchers play. We encourage reporting of any concerns and vulnerabilities found in our sites or software.

[email protected]
Submit an issue to our team on github
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure which repo these issues belong on.

Suggested change
[email protected]
Submit an issue to our team on github
Please submit any issues to [our team on github](needs_the_repo/issues/), or email <[email protected]>.


We are committed to working with the community to verify and respond to these reports in a timely fashion. Here's what you can expect when submitting a report:

* Acknowledgement of report receipt
* Communication of estimated time for resolution
* Notification of fix

We request that the following research not be conducted without formal authorization and advance coordination to avoid harms to customers and violation of laws.

* Denial of Service (DoS) of any kind
* Automated security tools
* Accessing, or attempting to access, data or information that does not belong to you
* Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you

Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a security issue in third party components may impact Solid, please review the section on third party CVE handling.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a security issue in third party components may impact Solid, please review the section on Handling Third Party CVE (Common Vulnerabilities and Exposures).


### Third Party CVE Handling
The Solid team updates 3rd party components within regularly scheduled release cycles, to the newest compatible version available during development. A vulnerability related to a 3rd party component does not necessarily translate to a vulnerability in Inrupt software. PSIRT welcomes questions about the applicability of a 3rd party CVE.

Risk is determined through internal scoring using CVSSv3.1 (https://www.first.org/cvss/calculator/3.1).

### Security Advisories
Notifications and descriptions of security incidents are available here.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be clear, at loss of a better solution, are you recommended that the list of Security Advisories related to Solid will be currated manually as a list:

  • inside this present document; or;
  • in an external security-advisories.md?

I would probably have a slight preference for the latter.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Notifications and descriptions of security incidents are available here.
Notifications and descriptions of security incidents are available [here](needs_a_link_to_document_or_directory).


Security Advisories and other security content are provided on an "as is" basis and do not imply any kind of guarantee or warranty. Your use of the information in these publications or linked material is at your own risk. Inrupt reserves the right to change or update this content without notice at any time.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Inrupt.com? Or solidproject.org? This document is starting to exhibit a split personality...


### Hall of Fame
Thank you to the following people for reporting vulnerabilities.