Project Jupyter is committed to reducing risk in using, deploying, operating, or developing Jupyter software.
The Jupyter Security Subproject exists to provide help and advice to Jupyterusers, operators, and developers on security topics and to help coordinate handlingof security issues.
If you believe you’ve found a security vulnerability in aJupyter Subproject,you can either:
If you prefer to encrypt your security reports,you can usethis PGP public key.
Known vulnerabilities are tracked using theCVE vendor ID 15653 for Jupyter.
GitHub provides alerts about vulnerable dependencies.If your supply chain includes Jupyter projects, these alerts can help you respond to vulnerabilities quickly and easily.
Several Jupyter projects maintain security-related documentation regarding usage or deployment ofJupyter software.
We are working to identify and coordinate security efforts across the Jupyter community and within all the various subprojects.TheJupyter Security GitHub repo has information how to participate and contribute.For discussion, please use the special Discoursesecurity topic on the Jupyter Discourse server.
Jupyter cannot provide, or fill in “Plan-Risk Assessment”, “Hecvat”, “Vpat” andsimilar vendor assessing questionnaire.
You likely have been redirected to this section after contacting the Jupytersecurity team to fill in a questionnaire about the security best practice of yourJupyter “vendor”, and to assess the Jupyter “product”.
The Jupyter Team and Jupyter Security team are not vendors, and cannot act asa vendor. To be a vendor Jupyter would need to have a contractual relationshipwith you, which we do not have.
Your questionnaire also likely ask how your ‘vendor’ store your informations(user information, billing information, contact…); who has access to it; andhow they are vetted… etc. The Jupyter team does not have any contact orbilling information; nor do we collect; store or have access to any of theinformation about how your Jupyter user use Jupyter, or what they do in Jupyter;the Jupyter Team is not aware either of who installs Jupyter.
If you use a service provider for Jupyter; they are your vendor, and cananswer those questions.
If you self-host Jupyter, then it is likely to your IT team to fill in thoseassessment as all the data is controlled by your IT team.
If you still do need a vendor assessment we advise you to contact one of themany companies that provide Jupyter support; We cannot unfortunately give younames out of fairness.