Create security.md #253
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||||
|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,33 @@ | ||||||||
| ### Security Vulnerability Reporting | ||||||||
| The Product Security Incident Response Team (PSIRT) at Solid acknowledges the valuable role researchers play. We encourage reporting of any concerns and vulnerabilities found in our sites or software. | ||||||||
|
|
||||||||
| [email protected] | ||||||||
| Submit an issue to our team on github | ||||||||
|
There was a problem hiding this comment. I'm not sure which repo these issues belong on.
Suggested change
|
||||||||
|
|
||||||||
| We are committed to working with the community to verify and respond to these reports in a timely fashion. Here's what you can expect when submitting a report: | ||||||||
|
|
||||||||
| * Acknowledgement of report receipt | ||||||||
| * Communication of estimated time for resolution | ||||||||
| * Notification of fix | ||||||||
|
|
||||||||
| We request that the following research not be conducted without formal authorization and advance coordination to avoid harms to customers and violation of laws. | ||||||||
|
|
||||||||
| * Denial of Service (DoS) of any kind | ||||||||
| * Automated security tools | ||||||||
| * Accessing, or attempting to access, data or information that does not belong to you | ||||||||
| * Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you | ||||||||
timea-solid marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||
|
|
||||||||
| Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a security issue in third party components may impact Solid, please review the section on third party CVE handling. | ||||||||
timea-solid marked this conversation as resolved.
Show resolved
Hide resolved
There was a problem hiding this comment. Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a security issue in third party components may impact Solid, please review the section on Handling Third Party CVE (Common Vulnerabilities and Exposures). |
||||||||
|
|
||||||||
| ### Third Party CVE Handling | ||||||||
| The Solid team updates 3rd party components within regularly scheduled release cycles, to the newest compatible version available during development. A vulnerability related to a 3rd party component does not necessarily translate to a vulnerability in Inrupt software. PSIRT welcomes questions about the applicability of a 3rd party CVE. | ||||||||
timea-solid marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||||
|
|
||||||||
| Risk is determined through internal scoring using CVSSv3.1 (https://www.first.org/cvss/calculator/3.1). | ||||||||
|
|
||||||||
| ### Security Advisories | ||||||||
| Notifications and descriptions of security incidents are available here. | ||||||||
|
There was a problem hiding this comment. To be clear, at loss of a better solution, are you recommended that the list of Security Advisories related to Solid will be currated manually as a list:
I would probably have a slight preference for the latter. There was a problem hiding this comment.
Suggested change
|
||||||||
|
|
||||||||
| Security Advisories and other security content are provided on an "as is" basis and do not imply any kind of guarantee or warranty. Your use of the information in these publications or linked material is at your own risk. Inrupt reserves the right to change or update this content without notice at any time. | ||||||||
|
There was a problem hiding this comment. Inrupt.com? Or solidproject.org? This document is starting to exhibit a split personality... |
||||||||
|
|
||||||||
| ### Hall of Fame | ||||||||
| Thank you to the following people for reporting vulnerabilities. | ||||||||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.