lastid-sdk 0.3.0

Rust SDK for LastID IDP integration - request and verify credentials with type-safe policy builders
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

# Security Policy

## Supported Versions

| Version | Supported          |
| ------- | ------------------ |
| 0.1.x   | :white_check_mark: |

## Reporting a Vulnerability

The LastID team takes security vulnerabilities seriously. We appreciate your efforts to responsibly disclose your findings.

### How to Report

**Please do NOT report security vulnerabilities through public GitHub issues.**

Instead, please report them via email to:

📧 **security@lastid.co**

### What to Include

Please include the following information in your report:

- Type of vulnerability (e.g., buffer overflow, SQL injection, XSS)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability and how an attacker might exploit it

### Response Timeline

- **Initial Response**: Within 48 hours of receiving your report
- **Status Update**: Within 7 days with an assessment
- **Resolution**: We aim to resolve critical vulnerabilities within 30 days

### What to Expect

1. **Acknowledgment**: We will acknowledge your report within 48 hours
2. **Assessment**: Our security team will assess the vulnerability
3. **Communication**: We will keep you informed of our progress
4. **Credit**: With your permission, we will credit you in the security advisory

### Safe Harbor

We consider security research conducted in good faith under this policy to be:

- Authorized concerning any applicable anti-hacking laws
- Authorized concerning any relevant anti-circumvention laws
- Exempt from restrictions in our Terms of Service that would interfere with conducting security research

We will not bring legal action against researchers who:

- Make a good faith effort to avoid privacy violations, destruction of data, and interruption of services
- Only interact with accounts you own or with explicit permission of the account holder
- Do not exploit a vulnerability beyond demonstrating its existence

### Scope

The following are in scope for security research:

- `lastid-sdk` crate and all its features
- WASM bindings and JavaScript interop
- Cryptographic implementations (DPoP, key management)
- Authentication and authorization flows
- Trust registry validation

### Out of Scope

- Denial of service attacks
- Social engineering
- Physical security
- Third-party services or infrastructure

## Security Best Practices

When using this SDK:

1. **Always use HTTPS** in production (HTTP is only allowed for localhost development)
2. **Validate all callbacks** to prevent open redirect vulnerabilities
3. **Store credentials securely** - never log or expose access tokens
4. **Keep dependencies updated** - run `cargo audit` regularly
5. **Use the trust registry** - always validate issuers before accepting credentials

## Acknowledgments

We thank the following researchers for responsibly disclosing vulnerabilities:

*No vulnerabilities have been reported yet.*