We should make the responsible reporting procedure more readily visible. Should we put it on the web site? In the jupyter.readthedocs.org documentation? Here on Discourse? All of the above?
We should definitely make the reporting link more prominent/discoverable, and make sure it’s linked from several appropriate places (e.g zero-to-jupyterhub, jupyterhub docs, prominent link on jupyter.org, etc.)
I think we can wait on the security.txt proposal to see if it’s something people pick up. Unless it’s widely adopted, jupyter.org/.well-known/security.txt is not more discoverable than normal links on pages, and less easy to use than a regular page with links.
I hope to PR the z2j, jhub, etc. docs this week including at least the info currently found in the notebook docs. Assuming the jupyter.org site generator can place files at the root, I’ll send a PR to setup a minimal security.txt too since it can’t hurt.
@tgeorgeux any thoughts on where we might include a small paragraph about how to report suspected vulnerabilities in any Jupyter project on the current jupyter.org site? Something akin to:
If you find a security vulnerability in a Jupyter project, please report it to security@ipython.org.
If you prefer to encrypt your security reports, you can use this PGP public key.