The Product Security Incident Response Team (PSIRT) at Solid acknowledges the valuable role researchers play. We encourage reporting of any concerns and vulnerabilities found in our sites or software.
In order to report any concern:
- Submit an issue to our team on github; or
- Email: info@solidproject.org
We are committed to working with the community to verify and respond to these reports in a timely fashion. Here's what you can expect when submitting a report:
- Acknowledgement of report receipt
- Communication of estimated time for resolution
- Notification of fix
We request that the following research not be conducted without formal authorization and advance coordination to avoid harms to customers and violation of laws.
- Denial of Service (DoS) testing of any kind
- Automated security testing
- Testing access to data or information that does not belong to you
- Testing ability to destroy or corrupt data or information that does not belong to you
Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a security issue in third party components may impact Solid, please review the section on third party Common Vulnerabilities and Exposures (CVE) handling.
The Solid team updates third party components to the newest compatible version available during development in regularly scheduled release cycles. A vulnerability related to a third party component does not necessarily translate to a vulnerability in Solid software. PSIRT welcomes questions about the applicability of a Third Party CVE.
Risk is determined through internal scoring using CVSSv3.1 (https://www.first.org/cvss/calculator/3.1).
Notifications and descriptions of security incidents are available here.
Security Advisories and other security content are provided on an "as is" basis and do not imply any kind of guarantee or warranty. Your use of the information in these publications or linked material is at your own risk. Inrupt reserves the right to change or update this content without notice at any time.
Thank you to the following people for reporting vulnerabilities.