From d38dc6bd21975d9ba86e8764b76621cbc522d6b8 Mon Sep 17 00:00:00 2001 From: davi Date: Fri, 5 Mar 2021 11:07:33 -0500 Subject: [PATCH 1/5] Create security.md --- security.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 security.md diff --git a/security.md b/security.md new file mode 100644 index 0000000..7ea7c83 --- /dev/null +++ b/security.md @@ -0,0 +1,33 @@ +### Security Vulnerability Reporting +The Product Security Incident Response Team (PSIRT) at Solid acknowledges the valuable role researchers play. We encourage reporting of any concerns and vulnerabilities found in our sites or software. + +info@solidproject.org +Submit an issue to our team on github + +We are committed to working with the community to verify and respond to these reports in a timely fashion. Here's what you can expect when submitting a report: + +* Acknowledgement of report receipt +* Communication of estimated time for resolution +* Notification of fix + +We request that the following research not be conducted without formal authorization and advance coordination to avoid harms to customers and violation of laws. + +* Denial of Service (DoS) of any kind +* Automated security tools +* Accessing, or attempting to access, data or information that does not belong to you +* Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you + +Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a security issue in third party components may impact Solid, please review the section on third party CVE handling. + +### Third Party CVE Handling +The Solid team updates 3rd party components within regularly scheduled release cycles, to the newest compatible version available during development. A vulnerability related to a 3rd party component does not necessarily translate to a vulnerability in Inrupt software. PSIRT welcomes questions about the applicability of a 3rd party CVE. + +Risk is determined through internal scoring using CVSSv3.1 (https://www.first.org/cvss/calculator/3.1). + +### Security Advisories +Notifications and descriptions of security incidents are available here. + +Security Advisories and other security content are provided on an "as is" basis and do not imply any kind of guarantee or warranty. Your use of the information in these publications or linked material is at your own risk. Inrupt reserves the right to change or update this content without notice at any time. + +### Hall of Fame +Thank you to the following people for reporting vulnerabilities. From f68c8b72aff0247fd2b5042cdd012597be000908 Mon Sep 17 00:00:00 2001 From: Timea <4144203+timea-solid@users.noreply.github.com> Date: Tue, 24 Jan 2023 22:49:26 +0100 Subject: [PATCH 2/5] Update security.md Co-authored-by: Matthieu Bosquet --- security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/security.md b/security.md index 7ea7c83..fef483f 100644 --- a/security.md +++ b/security.md @@ -17,7 +17,7 @@ We request that the following research not be conducted without formal authoriza * Accessing, or attempting to access, data or information that does not belong to you * Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you -Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a security issue in third party components may impact Solid, please review the section on third party CVE handling. +Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a security issue in third party components may impact Solid, please review the section on third party Common Vulnerabilities and Exposures (CVE) handling. ### Third Party CVE Handling The Solid team updates 3rd party components within regularly scheduled release cycles, to the newest compatible version available during development. A vulnerability related to a 3rd party component does not necessarily translate to a vulnerability in Inrupt software. PSIRT welcomes questions about the applicability of a 3rd party CVE. From f51dcc1ae3ccfe24ba43513877d31b8465c26e93 Mon Sep 17 00:00:00 2001 From: Timea <4144203+timea-solid@users.noreply.github.com> Date: Tue, 24 Jan 2023 22:49:32 +0100 Subject: [PATCH 3/5] Update security.md Co-authored-by: Matthieu Bosquet --- security.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security.md b/security.md index fef483f..be98ec1 100644 --- a/security.md +++ b/security.md @@ -1,8 +1,9 @@ ### Security Vulnerability Reporting The Product Security Incident Response Team (PSIRT) at Solid acknowledges the valuable role researchers play. We encourage reporting of any concerns and vulnerabilities found in our sites or software. -info@solidproject.org -Submit an issue to our team on github +In order to report any concern: +* Submit an issue to our team on github; or +* Email: info@solidproject.org We are committed to working with the community to verify and respond to these reports in a timely fashion. Here's what you can expect when submitting a report: From 351dd5b79993aacb102d7ab7e18cfa254dfd6935 Mon Sep 17 00:00:00 2001 From: Timea <4144203+timea-solid@users.noreply.github.com> Date: Tue, 24 Jan 2023 22:50:19 +0100 Subject: [PATCH 4/5] Update security.md Co-authored-by: Ted Thibodeau Jr --- security.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/security.md b/security.md index be98ec1..3cc6103 100644 --- a/security.md +++ b/security.md @@ -13,10 +13,10 @@ We are committed to working with the community to verify and respond to these re We request that the following research not be conducted without formal authorization and advance coordination to avoid harms to customers and violation of laws. -* Denial of Service (DoS) of any kind -* Automated security tools -* Accessing, or attempting to access, data or information that does not belong to you -* Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you +* Denial of Service (DoS) testing of any kind +* Automated security testing +* Testing access to data or information that does not belong to you +* Testing ability to destroy or corrupt data or information that does not belong to you Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a security issue in third party components may impact Solid, please review the section on third party Common Vulnerabilities and Exposures (CVE) handling. From 515177c0cfb3f1f5450da8a98bf2a3d6222a2fc6 Mon Sep 17 00:00:00 2001 From: Timea <4144203+timea-solid@users.noreply.github.com> Date: Tue, 24 Jan 2023 22:51:13 +0100 Subject: [PATCH 5/5] Update security.md Co-authored-by: Ted Thibodeau Jr --- security.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/security.md b/security.md index 3cc6103..dfef1ec 100644 --- a/security.md +++ b/security.md @@ -20,8 +20,9 @@ We request that the following research not be conducted without formal authoriza Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a security issue in third party components may impact Solid, please review the section on third party Common Vulnerabilities and Exposures (CVE) handling. -### Third Party CVE Handling -The Solid team updates 3rd party components within regularly scheduled release cycles, to the newest compatible version available during development. A vulnerability related to a 3rd party component does not necessarily translate to a vulnerability in Inrupt software. PSIRT welcomes questions about the applicability of a 3rd party CVE. +### Handling Third Party CVE + +The Solid team updates third party components to the newest compatible version available during development in regularly scheduled release cycles. A vulnerability related to a third party component does not necessarily translate to a vulnerability in Solid software. PSIRT welcomes questions about the applicability of a Third Party CVE. Risk is determined through internal scoring using CVSSv3.1 (https://www.first.org/cvss/calculator/3.1).