Inrupt takes the security of our software products and services seriously. This includes all source code repositories managed through our GitHub organization.

If you believe you have found a security vulnerability in any Inrupt-owned repository please report it to us as described below.

These libraries help developers create Solid applications. The libraries are composed of different modules with different features.

• Some modules help with reading and writing data in Solid servers. Data should always be considered sensitive and be processed with care and regards to access restrictions and personal information.
• Some modules help with Authentication. Authentication is a sensitive domain, and as such we designed these libraries with a particular attention to security. In particular, we decided to apply the following rules:
  • Comply with the OAuth security guidelines. This involves, among other things:
    • No support for the implicit grant and the resource owner password grant;
    • The use of a PKCE token;
    • Binding tokens to a DPoP key to make them sender-constrained whenever possible.

Please do not report security vulnerabilities through public GitHub issues.

Instead, if you discover a vulnerability in our code, or experience a bug related to security, please report it following the instructions provided on Inrupt’s security page.

We prefer all communications to be in English.