The Jupyter Notebook documentation has a small section on how to report vulnerabilities: https://jupyter-notebook.readthedocs.io/en/stable/security.html
A recent thread in a docker-stacks issues suggests this information is not easy to come by: https://github.com/jupyter/docker-stacks/issues/560#issuecomment-475087657
A Google search (https://www.google.com/search?q=jupyter+vulnerability+reporting) does turn up the notebook documentation page, but it’s not obvious the answer is on the page nor is it at the top of the results.
We should make the responsible reporting procedure more readily visible. Should we put it on the web site? In the jupyter.readthedocs.org documentation? Here on Discourse? All of the above?