Security Vulnerability Reporting
The Product Security Incident Response Team (PSIRT) at Inrupt acknowledges the valuable role researchers play. We encourage reporting of any concerns and vulnerabilities found in our site or software.
- security@inrupt.com
- Submit an issue to our Service Desk
Inrupt is committed to working with the community to verify and respond to these reports in a timely fashion. Here's what you can expect when submitting a report.
- Acknowledgement of report receipt
- Communication of estimated time for resolution
- Notification of fix
Inrupt requests that the following research not be conducted without formal authorization and advance coordination to avoid harms to customers and violation of laws.
- Denial of Service (DoS) of any kind
- Automated security tools
- Accessing, or attempting to access, data or information that does not belong to you
- Destroying or corrupting, or attempting to destroy or corrupt, data or information that does not belong to you
Software often contains third party or open source libraries and binaries. Prior to submitting a request to validate how a security issue in third party components may impact Inrupt, please review the section on third party CVE handling.
Third Party CVE Handling
Inrupt updates 3rd party components within regularly scheduled release cycles, to the newest compatible version available during development. A vulnerability related to a 3rd party component does not necessarily translate to a vulnerability in Inrupt software. PSIRT welcomes questions about the applicability of a 3rd party CVE.
Risk is determined through internal scoring using CVSSv3.1 (https://www.first.org/cvss/calculator/3.1).
Security Advisories
Notifications and descriptions of security incidents are available here.
Security Advisories and other security content are provided on an "as is" basis and do not imply any kind of guarantee or warranty. Your use of the information in these publications or linked material is at your own risk. Inrupt reserves the right to change or update this content without notice at any time.
PGP Public Keys
Use the Inrupt Security Team public PGP key to encrypt email with sensitive information and to verify communication as genuine.
| Active Date | Aug 6, 2021 |
| Expiration Date | Aug 6, 2023 |
| Key Type | RSA |
| Key Size | 3072 |
| Fingerprint | 800A E4A2 DDD9 FB4E 27AF C5C1 18BE B01B 7F18 A1FA |
| UID | security@inrupt.com |
| PGP Key | inrupt-securty-public.asc |
Hall of Fame
Thank you to the following people for reporting vulnerabilities.
Justin Richer, Bespoke Engineering