To report a security vulnerability in aJupyter Subproject,take one of these two actions:

1. Open a GitHub Security Advisory (GHSA) in the relevant repository (preferred approach). Seethe GitHub instructions for opening security advisories.
2. Send an e-mail tosecurity@jupyter.org reporting the vulnerability. Only do this if opening a GHSA is not possible, or you are unsure what to do. where it will belong.

We do not currently run bug bounty programs, and do not currently rewardvulnerability discovery.

If you prefer to encrypt your security reports, usethis PGP public key.

Guidelines for reporting vulnerabilities

• If you are unsure, it is always best to contact us.
• Remember we are an open source project maintained by volunteers, we have limited resources to spare. Please be mindful of our time.
• Avoid sending basic reports that just use website scanning tools without context or understanding of the problem:
  • Example: we often receive minimalist reports of JavaScript vulnerability or incorrect CORS onstatic websites (mostly on jupyter.org and documentation on*.readthedocs.io). Static website are not affected by these kinds of issues.
  • Examples of how to do this more effectively:
    • You ran a tool and think there is vulnerability because you are learning. In the body of your message, include your analysis and your uncertainty about the problem.
    • You are a security researcher: Verify the tool claim and try to developa POC showing how the vulnerability could be exploited, and the fix that could resolve the problem.
• Avoid sending mass emails tosecurity@ipython.org (especially when cc’ing dozens of other emails from bug bounty programs)
• Avoid asking if we run a bug bounty programs or reward discovery in a private channel, discuss it in the public forum.

Vulnerability information

Known vulnerabilities are tracked using theCVE vendor ID 15653 for Jupyter.

GitHub provides alerts about vulnerable dependencies.If your supply chain includes Jupyter projects, these alerts can help you respond to vulnerabilities quickly and easily.

Security documentation

Several Jupyter projects maintain security-related documentation regarding usage or deployment ofJupyter software.

• jupyter-server
• jupyterhub

Community resources

We are working to identify and coordinate security efforts across the Jupyter community and within all the various subprojects.TheJupyter Security GitHub repo has information how to participate and contribute.For discussion, please use the special Discoursesecurity topic on the Jupyter Discourse server.

Vendor assessments

Jupyter cannot provide, or fill in “Plan-Risk Assessment”, “Hecvat”, “Vpat” andsimilar vendor assessing questionnaire.

You likely have been redirected to this section after contacting the Jupytersecurity team to fill in a questionnaire about the security best practice of yourJupyter “vendor”, and to assess the Jupyter “product”.

The Jupyter Team and Jupyter Security team are not vendors, and cannot act asa vendor. To be a vendor Jupyter would need to have a contractual relationshipwith you, which we do not have.

Your questionnaire also likely ask how your ‘vendor’ store your informations(user information, billing information, contact…); who has access to it; andhow they are vetted… etc. The Jupyter team does not have any contact orbilling information; nor do we collect; store or have access to any of theinformation about how your Jupyter user use Jupyter, or what they do in Jupyter;the Jupyter Team　is not aware either of who installs Jupyter.

• If you use a service provider for Jupyter; they are your vendor, and cananswer those questions.

• If you self-host Jupyter, then it is likely to your IT team to fill in thoseassessment as all the data is controlled by your IT team.

• If you still do need a vendor assessment we advise you to contact one of themany companies that provide Jupyter support; We cannot unfortunately give younames out of fairness.