Responsible vulnerability reporting

The Jupyter Notebook documentation has a small section on how to report vulnerabilities:

A recent thread in a docker-stacks issues suggests this information is not easy to come by:

A Google search ( does turn up the notebook documentation page, but it’s not obvious the answer is on the page nor is it at the top of the results.

We should make the responsible reporting procedure more readily visible. Should we put it on the web site? In the documentation? Here on Discourse? All of the above? on, and link to that from other places.

We should definitely make the reporting link more prominent/discoverable, and make sure it’s linked from several appropriate places (e.g zero-to-jupyterhub, jupyterhub docs, prominent link on, etc.)

I think we can wait on the security.txt proposal to see if it’s something people pick up. Unless it’s widely adopted, is not more discoverable than normal links on pages, and less easy to use than a regular page with links.

1 Like

Picking this back up …

I hope to PR the z2j, jhub, etc. docs this week including at least the info currently found in the notebook docs. Assuming the site generator can place files at the root, I’ll send a PR to setup a minimal security.txt too since it can’t hurt.

@tgeorgeux any thoughts on where we might include a small paragraph about how to report suspected vulnerabilities in any Jupyter project on the current site? Something akin to:

If you find a security vulnerability in a Jupyter project, please report it to
If you prefer to encrypt your security reports, you can use this PGP public key .


Sounds like a good plan

Just to be on the sure side, AFAIK security.txt should be in /.well-known/, not the root.

1 Like

Agreed. I wasn’t clear in my reply.

PRs opened so far:

Looks good I’ll ping Ana to merge it. (I don’t have merge rights the .io repo).

@parente thank you for jumping on this.

All of the PRs mentioned in this thread are now merged. Thanks to everyone who helped out with reviewing!

1 Like