You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: security.md
+22-5Lines changed: 22 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,16 +9,34 @@ The Jupyter Security Subproject exists to provide help and advice to Jupyter
9
9
users, operators, and developers on security topics and to help coordinate handling
10
10
of security issues.
11
11
12
-
## Reporting vulnerabilities
12
+
## How to report vulnerabilities
13
13
14
14
If you believe you've found a security vulnerability in a [Jupyter Subproject](https://jupyter.org/governance/list_of_subprojects.html),
15
15
you can either:
16
+
16
17
- directly open a GitHub Security Advisory (GHSA) in the relevant repository
17
18
- report it to [security@ipython.org](mailto:security@ipython.org) if opening a GHSA is not possible, or you are unsure
18
19
where it will belong.
19
20
20
-
If you prefer to encrypt your security reports,
21
-
you can use [this PGP public key](assets/ipython_security.asc).
21
+
**We do not currently run bug bounty programs, and do not currently reward
22
+
vulnerability discovery.**
23
+
24
+
If you prefer to encrypt your security reports, use [this PGP public key](assets/ipython_security.asc).
25
+
26
+
### Guidelines for reporting vulnerabilities
27
+
28
+
- If you are unsure, it is always best to contact us.
29
+
- Remember we are an open source project maintained by volunteers, we have limited resources to spare. Please be mindful of our time.
30
+
-**Avoid** sending basic reports that just use website scanning tools without context or understanding of the problem:
31
+
- Example: we often receive minimalist reports of JavaScript vulnerability or incorrect CORS on
32
+
_static_ websites (mostly on jupyter.org and documentation on `*.readthedocs.io`). Static website are not affected by these kinds of issues.
33
+
- Examples of how to do this more effectively:
34
+
- You ran a tool and think there is vulnerability because you are learning. In the body of your message, include your analysis and your uncertainty about the problem.
35
+
- You are a security researcher: Verify the tool claim and try to develop
36
+
a POC showing how the vulnerability could be exploited, and the fix that could resolve the problem.
37
+
-**Avoid** sending mass emails to `security@ipython.org` (especially when cc'ing dozens of other emails from bug bounty programs)
38
+
-**Avoid** asking if we run a bug bounty programs or reward discovery in a private channel, discuss it in the public forum.
39
+
22
40
23
41
## Vulnerability information
24
42
@@ -41,8 +59,7 @@ We are working to identify and coordinate security efforts across the Jupyter co
41
59
The [Jupyter Security](https://github.com/jupyter/security) GitHub repo has information how to participate and contribute.
42
60
For discussion, please use the special Discourse [security topic](https://discourse.jupyter.org/c/special-topics/security/48) on the Jupyter Discourse server.
43
61
44
-
45
-
## vendor assessments
62
+
## Vendor assessments
46
63
47
64
Jupyter cannot provide, or fill in "Plan-Risk Assessment", "Hecvat", "Vpat" and
0 commit comments