Skip to content

Commit ac4ffae

Browse files
Carreaucholdgraf
Carreau
and
choldgraf
authored
Add guidelines for contacting the security WG to avoid spam etc (#796)
Co-authored-by: Chris Holdgraf <[email protected]>
1 parent b241fdd commit ac4ffae

File tree

1 file changed

+22
-5
lines changed

1 file changed

+22
-5
lines changed

security.md

Lines changed: 22 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9,16 +9,34 @@ The Jupyter Security Subproject exists to provide help and advice to Jupyter
99
users, operators, and developers on security topics and to help coordinate handling
1010
of security issues.
1111

12-
## Reporting vulnerabilities
12+
## How to report vulnerabilities
1313

1414
If you believe you've found a security vulnerability in a [Jupyter Subproject](https://jupyter.org/governance/list_of_subprojects.html),
1515
you can either:
16+
1617
- directly open a GitHub Security Advisory (GHSA) in the relevant repository
1718
- report it to [[email protected]](mailto:[email protected]) if opening a GHSA is not possible, or you are unsure
1819
where it will belong.
1920

20-
If you prefer to encrypt your security reports,
21-
you can use [this PGP public key](assets/ipython_security.asc).
21+
**We do not currently run bug bounty programs, and do not currently reward
22+
vulnerability discovery.**
23+
24+
If you prefer to encrypt your security reports, use [this PGP public key](assets/ipython_security.asc).
25+
26+
### Guidelines for reporting vulnerabilities
27+
28+
- If you are unsure, it is always best to contact us.
29+
- Remember we are an open source project maintained by volunteers, we have limited resources to spare. Please be mindful of our time.
30+
- **Avoid** sending basic reports that just use website scanning tools without context or understanding of the problem:
31+
- Example: we often receive minimalist reports of JavaScript vulnerability or incorrect CORS on
32+
_static_ websites (mostly on jupyter.org and documentation on `*.readthedocs.io`). Static website are not affected by these kinds of issues.
33+
- Examples of how to do this more effectively:
34+
- You ran a tool and think there is vulnerability because you are learning. In the body of your message, include your analysis and your uncertainty about the problem.
35+
- You are a security researcher: Verify the tool claim and try to develop
36+
a POC showing how the vulnerability could be exploited, and the fix that could resolve the problem.
37+
- **Avoid** sending mass emails to `[email protected]` (especially when cc'ing dozens of other emails from bug bounty programs)
38+
- **Avoid** asking if we run a bug bounty programs or reward discovery in a private channel, discuss it in the public forum.
39+
2240

2341
## Vulnerability information
2442

@@ -41,8 +59,7 @@ We are working to identify and coordinate security efforts across the Jupyter co
4159
The [Jupyter Security](https://github.com/jupyter/security) GitHub repo has information how to participate and contribute.
4260
For discussion, please use the special Discourse [security topic](https://discourse.jupyter.org/c/special-topics/security/48) on the Jupyter Discourse server.
4361

44-
45-
## vendor assessments
62+
## Vendor assessments
4663

4764
Jupyter cannot provide, or fill in "Plan-Risk Assessment", "Hecvat", "Vpat" and
4865
similar vendor assessing questionnaire.

0 commit comments

Comments
 (0)