Responsible vulnerability reporting

#1

The Jupyter Notebook documentation has a small section on how to report vulnerabilities: https://jupyter-notebook.readthedocs.io/en/stable/security.html

A recent thread in a docker-stacks issues suggests this information is not easy to come by: https://github.com/jupyter/docker-stacks/issues/560#issuecomment-475087657

A Google search (https://www.google.com/search?q=jupyter+vulnerability+reporting) does turn up the notebook documentation page, but it’s not obvious the answer is on the page nor is it at the top of the results.

We should make the responsible reporting procedure more readily visible. Should we put it on the web site? In the jupyter.readthedocs.org documentation? Here on Discourse? All of the above?

1 Like
#2

https://securitytxt.org/ on jupyter.org, and link to that from other places.

#3

We should definitely make the reporting link more prominent/discoverable, and make sure it’s linked from several appropriate places (e.g zero-to-jupyterhub, jupyterhub docs, prominent link on jupyter.org, etc.)

I think we can wait on the security.txt proposal to see if it’s something people pick up. Unless it’s widely adopted, jupyter.org/.well-known/security.txt is not more discoverable than normal links on pages, and less easy to use than a regular page with links.

1 Like
#4

Picking this back up …

I hope to PR the z2j, jhub, etc. docs this week including at least the info currently found in the notebook docs. Assuming the jupyter.org site generator can place files at the root, I’ll send a PR to setup a minimal security.txt too since it can’t hurt.

@tgeorgeux any thoughts on where we might include a small paragraph about how to report suspected vulnerabilities in any Jupyter project on the current jupyter.org site? Something akin to:

If you find a security vulnerability in a Jupyter project, please report it to security@ipython.org.
If you prefer to encrypt your security reports, you can use this PGP public key .

2 Likes
#5

Sounds like a good plan

#6

Just to be on the sure side, AFAIK security.txt should be in /.well-known/, not the root.

1 Like
#7

Agreed. I wasn’t clear in my reply.

#8

PRs opened so far:

#9

Looks good I’ll ping Ana to merge it. (I don’t have merge rights the .io repo).

@parente thank you for jumping on this.

#10

All of the PRs mentioned in this thread are now merged. Thanks to everyone who helped out with reviewing!

1 Like